U.S. Department of Commerce

Transcription

1 U.S. Department of Commerce U.S. Census Bureau Privacy Impact Assessment for CEN04 Commerce Business Systems Reviewed by: djttu*c_ tlsftttj, Edwina Jaramillo, AssistarifQiief, Privacy Compliance Branch Approved by: Date approved: f/>,,^-^- ByrorrTrenshaw, Chief, Privacy Compliance Branch 0/&i[l5

2 U.S. Department ofcommerce Privacy Impact Assessment U. S. Census Bureau / CEN04 Commerce Business Systems Unique Investment Identifier: Introduction: System Description CEN04 Commerce Business Systems (CBS) is the Department ofcommerce (DoC) enterprise financial system that is implemented at its operating units including the U.S. Census Bureau (BOC). CBS at Census includes the Core Financial System (CFS) whose core financial code is developed by DoC. Within the CFS, BOC-specific applications are developed and managed by the Census Bureau known as "feeder systems". CBS includes the following applications and/or componentsthat collect personally identifiable information(pii): The Core Financial System (CFS) is a central component ofcbs and provides the financial management and accounting capabilities to support BOC financial operations. The BOC developed portions ofcbs are tested, supported and managed by the BOC Application Services Division (ASD), Assistant Division Chief(ADC) for Administrative Systems, while CFS system testing and software development is performed by the DoC CBS Support Center (CSC), with additional operational testing and verification by BOC ASD and BOC Finance Division in the BOC environment. Computer Services Division (CSvD) has separate teams who manage the Unix and Windows-based servers within the system, while the LAN Technology Support Office (LTSO) supports user Windows workstations within the system. ASD personnel perform database and application administration and support. CBS enables DoC to meet the requirements ofthe ChiefFinancial Officers Act (CFO Act) of 1990, P.L ; the Federal Financial Management Improvement Actof 1996, P.L ; and Office ofmanagement and Budget (OMB) Circular A-127. Financial Management Systems. CBS supports the financial functions required to track financial events, provides financial information for the financial managementofdoc and its operating units, is required for the preparation offinancial statements, and to allow DoC to continue receiving clean financial audit opinions.

3 The Department of Commerce Privacy Impact Assessment (PIA) for CBS is published at: Privacy/PRODQ The BOC publishes this CBS PIA to include the Census portion of the DoC CBS system and additional PII collected and maintained by other Census developed applications in the system including the systems/components described below: Automated Property Management System (APMS), which controls and tracks Census accountable property. Travel Management Information System (TMIS+) which creates travel-related transactions. Jeffersonville Time and Attendance System (JTAS) which collects information from the Jeffersonville Activity Reporting System and formats it for input into the Census Bureau's Time and Attendance (T&A) System. Data is transmitted via the DOC T&A application to the National Finance Center (NFC). The Federal Information Processing Standard (FIPS) 199 security impact category for this system is moderate. The legal authorities to collect personally identifiable information (PII) are identified in the SORNs that cover the records maintained by this IT system: SORN COMMERCE/DEPT-2. Accounts Receivable: 28 U.S.C Debt Collection Act of 1982 (Pub. L ): 26 U.S.C. 6402(d): and 31 U.S.C. 3711: SORN COMMERCE/DEPT-9. Travel Records (domestic and Foreign) of Employees and Certain Other Persons: Budget and Accounting Act of 1921: Accounting and Auditing Act of 1950: and Federal Claim Collection Act of 1966: SORN COMMERCE/DEPT-16. Property Accountability Files: 5 U.S.C. 301: 44 U.S.C. 3101: 40 U.S.C : 15 U.S.C. 1518: SORN COMMERCE/DEPT-17. Records of Cash Receipts: 31 U.S.C. 66(a): SORN COMMERCE/DEPT-22. Small Purchase Records: 31 U.S.C and 40 U.S.C. 486(c).

4 Section 1: Information in the System 1.1 Indicate what personally identifiable information (PII)/business identifiable information (BII) is collected, maintained, or disseminated. Check all that apply. IHpntifying Numbers (IN) a. Social Security e. Alien Registration i. Financial Account b. Taxpayer ID f. Driver's License j. Financial Transaction c. Employee ID g. Passport k. Vehicle Identifier d. File/Case ID h. Credit Card 1. Employer ID Number m. Other identifying numbers (specify): General Personal Data fgpd^ a. Name g. Date of Birth m. Religion b. Maiden Name h. Place of Birth n. Financial Information c. Alias i. Home Address o. Medical Information d. Gender j. Telephone Number p. Military Service e. Age k. Address q. Physical Characteristics f. Race/Ethnicity 1. Education r. Mother's Maiden Name s. Other general personal data (specify): Work-Related Data (WRD) - Title 5 Data a. Occupation d. Telephone Number g. Salary b. Job Title e. Address h. Work History' c. Work Address f. Business Associates i. Other work-related data (specify): Employer name, vendor name Distinguishing Features/Biometrics (DFB) a. Fingerprints d. Photographs g. DNA Profiles b. Palm Prints e. Scars, Marks, Tattoos h. Retina/Iris Scans c. Voice Recording/Signatures j. Other distinguishing features/biometrics (specify): f. Vascular Scan i. Dental Profile System Administration/Audit Data (SAAD) a. User ID c. Date/Time of Access e. ID Files Accessed b. IP Address d. Queries Run f. Contents of Files g. Other system administration/audit data (specify): Other Personally Identifiable Information (specify) Name & address of BOC & DoC contact

5 1.2 Indicate sources of the PII/BII in the system. Check all that apply. PII/BII Obtained Direct Contact In Person Telephone Other (specify): Hard Copy: Mail/Fax Online Government Sources Within the Bureau State, Local, Tribal Other (specify): Other DoC Bureaus Foreign Other Federal Agencies Non-government Sources Public Organizations Commercial Data Brokers Other (specify): Public Media, Internet Private Sector 1.3 Indicate the legal authority of the data collection. Title 5, U.S.C, Section 301 Title 13, U.S.C, Section 131 Title 13. U.S.C, Section 8(b) I Title 13, U.S.C, Section 141 Title 26, U.S.C 365fc26UaSsC 640?.fd->:and31 U.S.C. 371U f^ndtipinfi^^ nf1950: and Fgdg aj Claim Qpjlgetigg Act of1966: AA U.S.C U.S.C 48'-9> 1 U.S.C. 1518: -\\ U.S.C 66(a); 31 llv.c 3321»"<\A0 U.S.C 486(c).

6 Section 2: Purpose of the System 2.1 Indicate why the PII/BII in the system is being collected, maintained, or disseminated. Check all that apply. Purpose, To determine eligibility For administering human resources programs For administrative matters To promote information sharing initiatives For litigation For criminal law enforcement activities For civil enforcement activities For intelligence activities For statistical purposes (i.e., Censuses/Surveys) Other (specify): Section 3: Use of the System 3.1 Provide an explanation of how the agency will use the PII/BII to accomplish the checked purpose(s), e.g., PII/BII collected to produce national statistical information, etc. Describe why the PII/BII that is collected, maintained, ordisseminated is necessary to accomplish the checked purpose(s) and further the mission of the bureau and/or the Department. Indicate if the PII/BII identified in Section 1.1 of this document is in reference to a federal employee/contractor, member of public, foreign national, visitor or other (specify). Reasons for collecting the information: a. Social security number(ssn) and/or taxpayer identification number (TIN) identify an individual and "sole proprietor" business where the SSN is used as the identifier or the TIN, whichever is appropriate. A Taxpayer Identification Number (TIN) is a nine-digit number, which is either an Employer Identification Number(EIN) assigned by the Internal Revenue Service (IRS) or a Social Security Number (SSN) assigned by the Social Security Administration (SSA). Agencies are required to collect TINs [Debt Collection Improvement Act. 31 U.S.C 7701 Cc)1 and to include the TIN in vouchers submitted for payment [31 U.S.C 3325 (d)l. b. Name, address and contact information are required to identify and to contact an individual or business. This identifying information is also part of the criteria to identify a vendor to determine eligibility for registration in the GSA managed government-wide System for Award Management (SAM.GOV), which replaced the prior Central Contractor Registration (CCR) system. i. Identifying information is needed to identify individuals who require access to secure application code content on the CSC (CBS Support Center) Portal as part of the user account registration process. ii. iii. Identifying information is needed to identify individuals who require access to applications as part ofthe user account registration process. Identifying information is used to track transactions and activity performed using the applications. c. Date and Place of Birth and Mother's maiden name validates the identity of an individual. d. Bank routing number and individual bank account or electronic funds transfer (EFT) number identify the individual or business and process financial transactions, such as payments.

7 Section 4: Information Sharing 4.1 Indicate with whom the agency intends to share the PII/BII in the system and how the PII/BII will be shared. Recipient Caseby-Case Within the bureau DoC bureaus Federal agencies State, local, tribal gov't agencies Public Private sector Foreign governments Foreign entities Other (specify): How Information will be Shared Bulk Direct Other (specify) Transfer Access The PII/BII in the system will not be shared.

8 Section 5: Notice and Consent 5.1 Indicate whether individuals will be notified iftheir PII/BII is collected, maintained, or disseminated by the system. Check all that apply. Yes, notice is provided pursuant to a system of records notice published in the Federal Register (see Section 7). Yes, notice is provided by other means. No, notice is not provided. Specify how: Specify why not: 5.2 Indicate whether and how individuals have an opportunity to decline to provide PII/BII. Yes, individuals have an opportunity to decline to provide PII/BII. No, individuals do not have an opportunityto decline to provide PII/BII. Specify how: Specify why not: CBS does not obtainthe information from the individual; HR provides the information. 5.3 Indicate whether and how individuals have an opportunity to consent to particularuses of their PII/BII. Yes, individuals have an opportunity to consent to particular uses oftheir PII/BII. No, individuals do not have an opportunity to consent to particular uses oftheir PII/BII. Specify how: Specify why not: The information collected is payroll data. Per 5 U.S.C. 301 a department head may prescribe the regulations for the government ofhis department including the conduct of its employees and performance ofits business, records, & property & individuals do not have opportunity to consent to the uses ofthe PII that are collected for the purposes stated by the applicable SORNs. 5.4 Indicate whether and how individuals have an opportunity to review/update PII/BII pertaining to them. Yes, individuals have an opportunity to review/update PII/BII pertaining to them. No, individuals do not have an opportunity to review/update PII/BII pertaining to them. Specify how: Human Resources application or via a Privacy Act Request as per the Privacy Act and as identified in applicable SORN. Specify why not:

9 Section 6; Administrative and Technological Controls 6.1 Indicate the administrative and technological controls for the system. Check all that apply. x x All users signed a confidentiality agreement. All usersare subjectto a Code of Conduct that includes the requirement for confidentiality. Staff receivedtraining on privacy and confidentiality policies and practices. Access to PII/BII is restricted to authorized personnel only. The information is secured in accordance with FISMA requirements. Provide date of mostrecent Assessment and Authorization: 3/6/2014 Thesystem is categorized according to Federal Information Processing Standard (FIPS) 199. If so, the security impact category forthissystem is Low D Moderate % High NIST recommended security controls for protecting PII/BII are inplace and functioning as intended; or have an approved Plan ofaction and Milestones(POAM). Contractors that have access to the system aresubject to information security provisions in their contracts required by DoC and Census policy. Other (specify):

10 Section 7: Privacy Act 7.1 Indicate whether a system of records is being created under theprivacy Act, 5 U.S.C. 552a. (A new system ofrecords notice (SORN) is required ifthe system is not covered by an existing SORN). As per the Privacy Act of1974, "the term 'system ofrecords' means agroup ofany records under the control ofany agency from which information is retrieved bythe name ofthe individual or by some identifying number, symbol, or other identifying particular assigned to the individual." Yes, thissystem is covered by anexisting system ofrecords notice. Provide the system name and number: Census - 2, Employee Productivity Measurements Records DCensus - 3, Special Censuses, Surveys, and Other Studies DCensus - 4, Economic Survey Collection DCensus - 5, Decennial Census Program DCensus - 6, Population Census Records for 1910 and all Subsequent Decennial Censuses DCensus - 7, OtherAgency Surveys and Reimbursables DCensus - 8, Statistical Administrative Records System DCensus - 9, Longitudinal Employer Household Dynamics System DCensus -12, Foreign Trade Statistics HOther COMMERCE/DEPT-1, Attendance, Leave, andpayroll Records of Employees and CertainOtherPersons. COMMERCE/DEPT-2, Accounts Receivable; COMMERCE/DEPT-9, Travel Records (domestic and Foreign) of Employees and Certain Other Persons COMMERCE/DEPT-16, Property AccountabilityFiles COMMERCE/DEPT-17, Records ofcash Receipts; COMMERCE/DEPT-22, Small Purchase Records Yes, a system ofrecords notice has been submittedto the Departmentfor approval on {date). No, a system ofrecords is not being created.

11 Section 8; Retention ofinformation 8.1 Indicate whetherthese records are covered by an approved records control schedule and monitored for compliance. Check all that apply. There is an approved record control schedule. Providethe name ofthe record control schedule: GRS 20, GRS 7. item 1 No, there is not an approved record control schedule. Provide the stage in which the project is in developing and submitting a records control schedule: Yes, retention is monitored for compliance to the schedule. 10