Text

U.S. Nuclear Regulatory Commission

Privacy Impact Assessment Grants Management Database Office of Research

Version 1.0 February 9, 2024

Instruction Notes:

Please do not enter the PIA document into ADAMS. An ADAMS accession number will be assigned through the e-Concurrence system which will be handled by the Privacy Team

Template Version 2.0 (08/2023)

Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024 Document Revision History

Date Version PIA Name/Description Author 02/09/2024 1.0 Grants Management Database Initial Sarah Shaffer Release Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024 Table of Contents

1 Description 1

2 Authorities and Other Requirements 3

3 Characterization of the Information 4

4 Data Security 6

5 Privacy Act Determination 8

6 Records and Information Management-Retention and Disposal 9

7 Paperwork Reduction Act 12

8 Privacy Act Determination 13

9 OMB Clearance Determination 14

10 Records Retention and Disposal Schedule Determination 15

11 Branch Chief Review and Concurrence 16 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

The agency is subject to the requirements of the E-Government Act and is committed to identifying and addressing privacy risks whenever it develops or makes changes to its information systems. The questions below help determine any privacy risks related to the E-Government Act or later guidance by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST).

Name/System/Subsystem/Service Name: Grants Management Database.

Data Storage Location (i.e., Database Server, SharePoint, Cloud, Other Government Agency, Power Platform) NRC University Nuclear Leadership Program (UNLP) SharePoint Site.

Date Submitted for review/approval: February 9, 2024.

Note: When completing this PIA do not include any information that would raise security concerns or prevent this document from being made publicly available.

1 Description

1.1 Provide the description of the system/subsystem, technology (i.e., Microsoft Products), program, or other data collections (hereinafter referred to as project).

Explain the reason the project is being created.

The Office of Nuclear Regulatory Research (RES) Grants Program titled University Nuclear Leadership (UNLP), created a PowerApps database (11/2023) to record and maintain grant recipients (students) information so that we can track the students through graduation and into employment as required under the terms of the NRCs grant program. This information is needed to verify if a student will have to repay funds received under the grant program if they do not obtain a job in a nuclear related area. This information collected consists of the following:

• Student last name

• Student first name

• Grantee

• Grant award

• Type of award

• Period of performance

• Service agreement recd

• Major of student

• Student address

• Student phone number

• Student email

• Expected graduation date

• Support in years (this is how much time a student is to work in a nuclear position)

• Funds recd

• Work status

• Service obligation reached

• Place of employment

• Position held

• Comments

PIA Template (08-2023) 1 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

• Number and types of student contact (email, phone, voicemail)

Please mark appropriate response below if your project/system will involve the following:

PowerApps Public Website Dashboard Internal Website SharePoint None Other

1.2 Does this privacy impact assessment (PIA) support a proposed new project, proposed modification to an existing project, or other situation? Select options that best apply in table below.

Mark appropriate response.

Status Options New system/project Modification to an existing system/project.

If modifying or making other updates to an existing system/project, provide the ADAMS ML of the existing PIA and describe the modification.

Prior to 11/2023, the UNLP grant program collected and recorded students information in an excel spreadsheet, using the data collected from the service agreements. In 11/2023, RES grant staff worked with OCIO and had a PowerApps database created to house all the information pertaining to the grant program, which also includes the tracking of the students supported and their signed service agreements.

Annual Review If making minor edits to an existing system/project, briefly describe the changes below.

Other (explain)

PIA Template (08-2023) 2 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

1.3 Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project System ISSO Business Technical Executive Manager Owner/Data Project Project Sponsor Owner Manager Manager

/Steward Name Sarah Shaffer OCIO/RES James (301-415-2031) Baughman -

OCIO Ashley Willen (301-415-3327) Sarah Shaffer -

RES Office RES/PMDA/FP OCIO/ITSDOD/E

/Division MT APSB/EPT

/Branch Telepho See above 301-287-0778 ne 2 Authorities and Other Requirements

2.1 What specific legal authorities and/or agreements permit the collection of information for the project?

Provide all statutory and regulatory authorities for operating the project, including the authority to collect the information; NRC internal policy is not a legal authority. Please mark appropriate response in table below.

Mark with an X on all that Authority Citation/Reference apply.

Statute The Omnibus Appropriations Act, 2009 (Public Law 111-8)

Executive Order Federal Regulation Memorandum of Understanding/Agreement Other (summarize and provide a copy of relevant portion)

2.2 Explain how the information will be used under the authority listed above (i.e., enroll employees in a subsidies program to provide subsidy payment).

As stated in Item 1 above: This information is used to track a student that receives federal grant funds from academia through employment after graduation.

PIA Template (08-2023) 3 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

If the project collects Social Security numbers, state why this is necessary and how it will be used.

N/A.

3 Characterization of the Information

In the table below, mark the categories of individuals for whom information is collected.

Category of individual Federal employees Contractors Members of the Public (any individual other than a federal employee, consultant, or contractor)

Licensees Other - Stuport from NRCs UGran

In the table below, is a list of the most common types of PII collected. Mark all PII that is collected and stored by the project/system. If there is additional PII not defined in the table below, a comprehensive listing of PII is provided for further reference in ADAMS at the following link: PII Reference Table 2023.

Categories of Information Name Resume or curriculum vitae Date of Birth Driver's License Number Country of Birth License Plate Number Citizenship Passport number Nationality Relatives Information Race Taxpayer Identification Number Home Address Credit/Debit Card Number Social Security number Medical/health information (Truncated or Partial)

Gender Alien Registration Number Ethnicity Professional/personal references Spouse Information Criminal History Personal e-mail address Biometric identifiers (facial images, fingerprints, iris scans)

Personal Bank Account Number Emergency contact e.g., a third party to contact in case of an emergency Personal Mobile Number Accommodation/disabilities information Marital Status Other: Graduation Dates, Amount of

PIA Template (08-2023) 4 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

Categories of Information Children Information funds received from the grants, Degree that student is attending the institution for Mother's Maiden Name

3.1 Describe how the data is collected for the project. (i.e., NRC Form, survey, questionnaire, existing NRC files/ databases, response to a background check).

NRC created a service agreement for the institutions to use, and that agreement has created an NRC form 972. The institutions have the students fill out the contact information, then sign.

The institutions grant coordinator then signs and submits the NRC form 972 to the NRC for review and approval. NRC reviews the form, countersigns the agreement, enters the students information into the database, upload the service agreement into the database, and then return a copy of the completed approved form back to the institution.

3.2 If using a form to collect the information, provide the form number, title and/or a link.

The NRC form is 972: NRC University Nuclear Leadership Program (UNLP) Service Agreement for Grant Fellowships, and Scholarships to Colleges, Universities and Trade/Community Colleges. This form is still waiting for OMB approval.

3.3 Who provides the information? Is it provided directly from the individual or a third party.

The student requesting the funds from a grant, and the institution that the grant was awarded to.

3.4 Explain how the accuracy of the data collection is validated. If the project does not check for accuracy, please explain why.

The data that is collected is validated when we communicate with the students or the institution.

3.5 Will PII data be used in a test environment? If so, explain the rationale.

No.

3.6 What procedures are in place to allow the subject individual to correct inaccurate or erroneous information?

All data is entered into the database manually. NRC receives annual progress reports from the institutions, in which contain the information for the student as well. The information is then tracked for updates through the life of the grant for each student, and updates are made based on this data that is provided to the NRC. The students are also contacted after graduation to check and correct any missing or incorrect data. Students are also given an email address that they can contact with any changes

PIA Template (08-2023) 5 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024 4 Data Security

4.1 Describe who has access to the data in the project (i.e., internal NRC, system administrators, external agencies, contractors, public).

RES PMDA Director, and the RES grant staff (Sarah Shaffer and Ashley Willen). OCIO created the database, therefore they are the owners for maintenance - Pete Filicetti and Peter Filicetti.

4.2 If the project/system shares information with any other NRC systems, identify the system, what information is being shared and the method of sharing.

N/A.

4.3 If the project/system connects, receives, or shares information with any external non-NRC partners or systems, identify what is being shared.

N/A.

Identify what agreements are in place with the external non-NRC partner or system in the table below.

Agreement Type Contract Provide Contract Number:

License Provide License Information:

Memorandum of Understanding Provide ADAMS ML number for MOU:

Other None

4.4 Describe how the data is accessed and describe the access control mechanisms that prevent misuse.

The data is accessed through the database only. The database is restricted to only the grant staff within RES with a valid-need-to-know.

4.5 Explain how the data is transmitted and how confidentiality is protected (i.e.,

encrypting the communication or by encrypting the information before it is transmitted).

Currently-all information is sent via email to NRC and the grantee.

4.6 Describe where the data is being stored (i.e., NRC, Cloud, Contractor Site).

NRC PowerApps Database., SharePoint.

PIA Template (08-2023) 6 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

4.7 Explain if the project can be accessed or operated at more than one location.

Yes-those that have access to the database can access the information remotely when needed. (working from home) using NRC GFE.

4.8 Can the project be accessed by a contractor? If so, do they possess an NRC badge?

Yes-OCIO contractor that built the database using NRC GFE.

4.9 Explain the auditing measures and technical safeguards in place to prevent misuse of data.

Limited personnel access, and restricted database in which the information is contained.

4.10 Describe if the project has the capability to identify, locate, and monitor (i.e.,

trace/track/observe) individuals.

N/A.

4.11 Define which FISMA boundary this project is part of.

This is in the ITI boundary.

4.12 Is there an Authority to Operate (ATO) associated with this project/system?

Authorization Status Unknown No If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Organization (CSOs)

Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.

In Progress provide the estimated date to receive an ATO.

Estimated date:

Yes

Indicate the data impact levels (Low, Moderate, High, Undefined) approved by the Chief Information Security Officer (CISO)

Confidentiality-Moderate Integrity-Moderate Availability-Moderate

PIA Template (08-2023) 7 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

4.13 Provide the NRC system Enterprise Architecture (EA)/Inventory number. If unknown, contact EA Service Desk to get the EA/Inventory number.

ITI EA # is 20090005.

5 Privacy Act Determination 5.1 Is the data collected retrieved by a personal identifier?

Mark the appropriate response.

Response

is retrieved by a persoe.e., ina address, SSN, etc.)

List the l be used to rn on the vidual.

First and Last Name e PII is noersonal

5.2 For all collections whed by a personal iden Privacy Are agenca stem of Record Notice (SOR Federal Register. As per the Privacy Act of 1974, "the term 'system of records' means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some other personal identifier assigned to the individual.

Mark the appropriate response in the table below.

Response

Yes, this system is covered by an existing SORN. (See existing SORNs:

https://www.nrc.gov/reading-rm/foia/privacy-systems.html )

Provide the SORN name, number, (List all SORNs that apply):

NRC 5 - Grants Management System progress SORN needs to be c Unaware of an existing this systeis not systeof records SORN is not applicable.

PIA Template (08-2023) 8 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

5.3 When an individual is asked to provide personal data (i.e., form, webpage, survey), is a Privacy Act Statement (PAS) provided?

A Privacy Act Statement is a disclosure statement required to appear on documents used by agencies when an individual is asked to provide personal data. It is required for any forms, surveys, or other documents, including electronic forms, used to solicit personal information from individuals that will be maintained in a system of records.

Mark the appropriate response.

Options Privacy Act Statement

There is no link available at this time, the form is waiting for the OMB Clearance before its added to the forms library. The Privacy Act Statement is included with the NRC Form 972: NRC University Nuclear Leadership Program (UNLP)

Service Agreement for Grant Fellowships, and Scholarships to Colleges, Universities and Trade/Community Colleges.

icab Unknown

5.4 Is providI mandatory or voluntary? the individual by not providing the

Mandatory - if the student/institution does not provide the required information, then the student does not receive funds from an NRC grant.

6 Records and Information Management-Retention and Disposal

The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are Temporary (eligible at some point for destruction/deletion because they no longer have business value) or Permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). Records/data and information with historical value, identified as having a permanent disposition, are transferred to the National Archives of the United States at the end of their retention period. All other records identified as having a temporary disposition are destroyed at the end of their retention period in accordance with the NARA Records Schedule or the General Records Schedule.

These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR, agencies are required to establish procedures for addressing Records and Information Management (RIM) requirements. This includes strategies for establishing and managing recordkeeping requirements and disposition instructions before approving new electronic information systems or enhancements to existing systems.

PIA Template (08-2023) 9 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

The following questions are intended to determine whether the records/data and information in the system have approved records retention schedules and disposition instructions, whether the system incorporates RIM strategies including support for NARAs Universal Electronic Records Management (ERM) requirements, and if a mitigation strategy is needed to ensure compliance.

If the project/system:

• Does not have an approved records retention schedule and/or

• Does not have an automated RIM functionality,

• Involves a cloud solution,

• And/or if there are additional questions regarding Records and Information Management

- Retention and Disposal, please contact the NRC Records staff at ITIMPolicy.Resource@nrc.gov for further guidance.

If the project/system has a record retention schedule or an automated RIM functionality, please complete the questions below.

6.1 Does this project map to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules?

NURE10, NRC Comprecords Disposition Schedule NARAs General Records Sched duled

PIA Template (08-2023) 10 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

6.2 If so, cite the schedule number, approved disposition, and describe how this is accomplished.

System Name (include sub-systems, SharePoint platforms, or other locations where the same data resides) Power Apps Database: Grants Manager Records Retention Schedule Number(s) GRS 1.2 item 010 - Grant and cooperative agreement program management records.

GRS 1.2 item 020 - Grant and cooperative agreement case files. Successful applications.

Approved Disposition Instructions GRS 1.2 item 010: Temporary. Destroy 3 years after final action is taken on the file, but longer retention is authorized if required for business use.

GRS 1.2 item 020 - Temporary. Destroy 10 years after final action is taken on file, but longer retention is required for business use.

Is there a current automated functionality or a manual process to support RIM requirements?

This includes the ability to apply records retention and disposition policies in the system(s) to support records accessibility, reliability, integrity, and disposition.

Disposition of Temporary Records We retain the information for reporting purposes to OMB on metrics which is required Will the records/data or a composite be under the program. The students are not automatically or manually deleted once they removed from the database-they are just reach their approved retention? marked completed.

Disposition of Permanent Records N/A

Will the records be exported to an approved format and transferred to the National Archives based on approved retention and disposition instructions?

If so, what formats will be used?

NRC Transfer Guidance (Information and Records Management Guideline - IRMG)

Note: Information in Section 6, Records and Information Management-Retention and Disposal, does not need to be fully resolved for final approval of the privacy impact assessment.

PIA Template (08-2023) 11 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024 7 Paperwork Reduction Act

The Paperwork Reduction Act (PRA) of 1995 requires that agencies obtain an Office of Management and Budget (OMB) approval in the form of a "control number"before promulgating a paper form, website, surveys, questionnaires, or electronic submission from 10 or more members of the public. If the data collection is from federal employees regarding work-related duties, then a PRA clearance is not necessary.

7.1 Will the project be collecting any information from 10 or more persons who are not Federal employees?

Yes - we collect numerous requests each day. The number of requests depends on the institution that is using the grant award.

7.2 Is there any collection of information addressed to all or a substantial majority of an industry (i.e., Fuel Fabrication Facilities or Fuel Cycle Facilities)?

No.

7.3 Is the collection of information required by a rule of general applicability?

Im unsure how to address this question.

Note: For information collection (OMB clearances) questions: contact the NRCs Clearance Officer. Additional guidance can be found on the NRCs internal Information Collections Web page at: https://intranet.nrc.gov/ocio/33456.

STOP HERE - The remaining pages will be completed by the Privacy Officer, Records Management, and Information Collections Team.

PIA Template (08-2023) 12 Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024 PIA Template (08-2023) 138 Privacy Act Determination Project/System Name: Grants Management Database Submitting Office: Office of Research Privacy Officer Review Review Results Action Items This project/system does not contain PII. No further action is necessary for Privacy.

This project/system does contain PII; the Privacy Act does NOT apply, since information is NOT retrieved by a personal identifier.Must be protected with restricted access to those with a valid need-to-know.

This project/system does contain PII; the Privacy Act does apply.SORN is required-Information is retrieved by a personal identifier.

Comments:

Covered by System of Records Notice, NRC 5 - Grants Management System.

Reviewers Name Title Privacy Officer Signed by Hardy, Sally on 02/27/24

Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024 PIA Template (08-2023) 149 OMB Clearance Determination NRC Clearance Officer Review Review Results No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No. 3150-0107 Comments:

The Information Collection Request to obtain OMB approval to collect information using NRC Form 972 with OMB. The two progress reports have already been approved by OMB in 3150-0107.

Reviewers Name Title Agency Clearance Officer Signed by Cullison, David on 02/23/24

Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024 PIA Template (08-2023) 1510 Records Retention and Disposal Schedule Determination Records Information Management Review Review Results No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Sr. Program Analyst, Electronic Records Manager Signed by Dove, Marna on 02/16/24

Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024 PIA Template (08-2023) 1611 Branch Chief Review and Concurrence Review Results This project/system does not collect, maintain, or disseminate information in identifiable form.

This project/system does collect, maintain, or disseminate information in identifiable form.

I concur with the Privacy Act, Information Collections, and Records Management reviews.

Chief Information Security Officer Chief Information Security Division Office of the Chief Information Officer Signed by Feibus, Jonathan on 02/27/24

Grants Management Database Version 1.0 Privacy Impact Assessment 02/09/2024

ADDITIONAL ACTION ITEMS/CONCERNS

Name of Project/System: Grants Management Database

Date CSB received PIA for review: Date CSB completed PIA review:

February 9, 2024 February 23, 2024 Action Items/Concerns:

Copies of this PIA will be provided to:

Gwendolyn Hayden Acting Director IT Services Development and Operations Division Office of the Chief Information Officer

Jonathan Feibus Chief Information Security Officer Chief Information Security Division Office of the Chief Information Officer

PIA Template (08-2023) 17