U.S. Securities and Exchange Commission. Mailroom Package Tracking System (MPTS) PRIVACY IMPACT ASSESSMENT (PIA)



Similar documents
U.S. Securities and Exchange Commission. Integrated Workplace Management System (IWMS) PRIVACY IMPACT ASSESSMENT (PIA)

U.S. Securities and Exchange Commission. Easy Lobby PRIVACY IMPACT ASSESSMENT (PIA)

PRIVACY IMPACT ASSESSMENT (PIA) GUIDE

United States Department of State Global Financial Management System (GFMS) Privacy Impact Assessment

Privacy Impact Assessment

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Privacy Impact Assessment For Management Information System (MIS) Date: September 4, Point of contact: Hui Yang

Privacy Impact Assessment for the. Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS)

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO

Department of Homeland Security Web Portals

Privacy Impact Assessment for the Volunteer/Contractor Information System

A. SYSTEM DESCRIPTION

Federal Trade Commission Privacy Impact Assessment

FHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME)

A. SYSTEM DESCRIPTION

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

A. SYSTEM DESCRIPTION

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Privacy Impact Assessment

Homeland Security Virtual Assistance Center

Federal Trade Commission Privacy Impact Assessment. for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website

A. SYSTEM DESCRIPTION

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

Department of the Interior Privacy Impact Assessment Template

Crew Member Self Defense Training (CMSDT) Program

A. SYSTEM DESCRIPTION

Privacy Impact Assessment Forest Service Computer Base Legacy

1. Contact Information. 2. System Information. Privacy Impact Assessment (PIA)

Federal Trade Commission Privacy Impact Assessment. Conference Room Scheduling PIA

A. SYSTEM DESCRIPTION

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Privacy Impact Assessment (PIA)

Federal Trade Commission Privacy Impact Assessment. for the: Analytics Consulting LLC Claims Management System and Online Claim Submission Website

ERIC - A Guide to an Introduction

The Bureau of the Fiscal Service. Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment for:

Web Time and Attendance

A. SYSTEM DESCRIPTION

A. SYSTEM DESCRIPTION

A. SYSTEM DESCRIPTION

Privacy Impact Assessment

CASE MATTER MANAGEMENT TRACKING SYSTEM

The Bureau of the Fiscal Service. Privacy Impact Assessment

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

Taxpayers/Public/Tax Systems Employees/Personnel/HR Systems Other Source: State agencies provide payment information via EFTPS and SDT

1. Describe the information (data elements and fields) available in the system in the following categories:

A. SYSTEM DESCRIPTION

Department of the Interior Privacy Impact Assessment

INTERNational Connections Privacy Impact Assessment

Privacy Impact Assessment (PIA) Waiver Review System (WRS) Version Last Updated: December 2, 2013

Accounting Package (ACCPAC)

A. SYSTEM DESCRIPTION

A. SYSTEM DESCRIPTION

Federal Trade Commission Privacy Impact Assessment

A. SYSTEM DESCRIPTION

Federal Trade Commission Privacy Impact Assessment. for the: Secure File Transfer System

Federal Bureau of Prisons

Federal Trade Commission Privacy Impact Assessment. for the:

Privacy Impact Assessment. For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014

Canine Website System (CWS System) DHS/TSA/PIA-036 January 13, 2012

Privacy Impact Assessment for the. Remedy System. November 15, Contact Point Luis Vega,

Permit Power of Attorney (PoA) to establish an agreement on behalf of the taxpayer

A. SYSTEM DESCRIPTION

Privacy Impact Assessment. Date: April 18, Point of Contact: Jim Hibberd KratosLearning.com

PRIVACY IMPACT ASSESSMENT

Web Time & Attendance System

Issue Based Management Information System (Redesign) is a Small Other system/application sponsored by LB&I.

Financial Disclosure Management (FDM)

REMEDY Enterprise Services Management System

Department of the Interior Privacy Impact Assessment

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

New system Significant modification to an existing system To update existing PIA for a triennial security reauthorization

How To Use The Revenue Accounting And Management System (Ram) System

How To Understand The System Of Records In The United States

United States Department of State Privacy Impact Assessment Risk Analysis and Management

Department of State SharePoint Server PIA

Privacy Considerations In The SMART World

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

A. SYSTEM DESCRIPTION

Authentication and Provisioning Services (APS)

US Federal Student Aid Datashare (SBU-PII) Application and Database

Federal Bureau of Prisons

Department of the Interior Privacy Impact Assessment (PIA) Updated February 2011

Were there other system changes not listed above? No 3. Check the current ELC (Enterprise Life Cycle) Milestones (select all that apply)

Commodity Futures Trading Commission Privacy Impact Assessment

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

United States Department of State Privacy Impact Assessment IIP Program Management and Outreach System (IIP-PMOS ITAB Number 2600)

Privacy Impact Assessment for TRUFONE Inmate Telephone System

Integrated Financial Management Information System (IFMIS) Merger

Federal Protective Service Dispatch and Incident Record Management Systems

A. SYSTEM DESCRIPTION

e-performance System

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Privacy Impact Assessment

3. Characterization of the Information

Directory Services and System (DSES)

A. SYSTEM DESCRIPTION

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Transcription:

U.S. Securities and Exchange Commission (MPTS) PRIVACY IMPACT ASSESSMENT (PIA) February 24, 2013

General Information 1. Name of Project or System. (MPTS) 2. Describe the project and its purpose or function in the SEC s IT environment. MPTS facilitates the tracking of mail and packages that require delivery acknowledgement and which are received at the SEC/Station Place Mailroom. MPTS consists of a database, report generator and the user interface. The database has essentially 2 components, an address book and a delivery status component. The address book provides delivery and contact information to the mail clerks, while the delivery status component tracks package delivery from the time of entry into the Mailroom through delivery to the addressee. The report generator component provides the user with performance statistics via both preformatted and customized forms. The MPTS uses new hardware (Barcode scanner) integration that facilitates capture of package identifiers for the purposes of package tracking, consequently improving accountability and traceability of packages being delivered and supporting the SEC administrative infrastructure. The new hardware will work with MPTS/SCLogic's SCLintra. The xcanner reads and transmits identification barcodes for packages to MPTS; it does not retrieve or transmit any PII. 3. Requested Operational Date? 3/19/2013 4. System of Records tice (SORN) number? SEC-37, Automated Personnel Management Information System; and SEC-46, Identification Cards, Press Passes, and Proximity Access Control Cards. 5. Is this an Exhibit 300 project or system? Yes 6. What specific legal authorities, arrangements, and/or agreements allow the collection of this information? 5 U.S.C. 302 Specific Questions SECTION I - Data in the System 1. What data about individuals could be collected, generated, or retained? Name, office address, mailstop, telephone number and work email address 2. Does the project/system use or collect the social security number (SSN)? (This includes truncated SSNs). Yes. If yes, provide the function of the SSN and the legal authority to collect. 3. What are the sources of the data? The MPTS will process contact data received via an MS Excel or CSV file extraction from the Active Directory. This process will be manual. 4. Why is the data being collected? 1

The data is required for the Station Place Mailroom personnel to know where an individual is located in order to deliver SEC mail addressed to the individual. 5. What technologies will be used to collect the data? The address book data will be uploaded manually via an MS Excel or CSV file extraction from the Active Directory provided to the Mailroom weekly or bi-weekly probably via email or manual secured FTP transfer. Although data can be updated at the MPTS consoles, this method is not likely to be used due to the frequency of the AD updates; however, entered data for transactions from the workstation client will not be encrypted by the software but will be transmitted using SSL v.3 and HTTPS protocols. SECTION II - Attributes of the Data (use and accuracy) 1. Describe the uses of the data. The location data will be used to determine the room number and mailstop for employees when packages arrive. The telephone number will be used to contact the employee regarding received or sent packages. The email address will be used to notify employees when packages addressed to them have arrived. 2. Does the system analyze data to assist users in identifying previously unknown areas of note, concern or pattern? Yes If yes, please explain: 3. How will the data collected from individuals or derived by the system be checked for accuracy? Data will be corrected when Mailroom clerks discover that individuals are not at the location indicated by the address book; however, the SEC/OIT will be requiring individuals to maintain their own location and contact data in the Active Directory which will be the Mailroom's data source. SECTION III - Sharing Practices 1. Will the data be shared with any internal organizations? Yes If yes, please list organization(s): 2. Will the data be shared with any external organizations? Yes If yes, please list organizations(s): How is the data transmitted or disclosed to external organization(s)? 3. How is the shared data secured by external recipients? N/A 4. Does the project/system process or access PII in any other SEC system? Yes. If yes, list system(s). The MPTS will manually upload contact data received via an MS Excel or CSV file extraction from the Active Directory. SECTION IV - tice to Individuals to Decline/Consent Use 1. What privacy notice was provided to the different individuals prior to collection of data?

(Check all that apply) Privacy Act Statement System of Records tice Privacy Impact Assessment Web Privacy Policy tice was not provided to individuals prior to collection 2. Do individuals have the opportunity and/or right to decline to provide data? Yes N/A Please explain: Information in this system is not collected directly from individuals. The SEC-37, Automated Personnel Management Information System and SEC-46, Identification Cards, Press Passes, and Proximity Access Control Cards Systems of Records tices adequately cover how information is used. additional notice or consent is required. 3. Do individuals have the right to consent to particular uses of the data? Yes N/A Please explain: Information in this system is not collected directly from individuals. The SEC-37, Automated Personnel Management Information System and SEC-46, Identification Cards, Press Passes, and Proximity Access Control Cards Systems of Records tices adequately cover how information is used. additional notice or consent is required. SECTION V - Access to Data (administrative and technological controls) 1. Has the retention schedule been established by the National Archives and Records Administration (NARA)? If no, please explain: Yes If yes, list retention period: These records will be maintained until they become inactive, at which time they will be retired or destroyed in 1 year in accordance with records schedules of the United States Securities and Exchange Commission as approved by the National Archives and Records Administration. (GRS 12, item 5 & 6). 2. Describe the privacy training provided to users, either generally or specifically relevant to the program or system? All SEC staff and contractors receive annual privacy awareness training, which outlines their roles and responsibilities for properly handling and protecting PII. They are also required to read and certify the SEC Rules of the Road. 3. Has a system security plan been completed for the information system(s) supporting the project? Yes If yes, please provide date C&A was completed: OIT has performed security testing on MPTS. The C&A documents are expected to be delivered by February 15, 2013 and an Authorization to Operate (ATO) may be issued by February 22, 2013. If the project does not trigger the C&A requirement, state that along with an explanation 4. Is the system exposed to the Internet without going through VPN? Yes If yes, Is secure authentication required? Yes; and Is the session encrypted? Yes

5. Are there regular (ie. periodic, recurring, etc.) PII data extractions from the system? Yes If yes, please explain: SEC Station Place Mailroom personnel will conduct daily lookups and make address labels containing individual name and location to put on the packages being delivered. There is no retention of PII extractions. 6. Which user group(s) will have access to the system? SEC Station Place Mailroom personnel, OIT/BOS 7. How is access to the data by a user determined? Access and Capability privileges are defined by the MPTS Administrator in the SEC Station Place Mailroom. Are procedures documented? Yes 8. How are the actual assignments of roles and rules verified. Annual and periodic reviews are conducted to ensure that privileges assigned to users are correct. Upon departure of a user from the mailroom, the account is to be immediately suspended by the application/system administrator. Access is granted after the administrator receives a written request from the user which is then approved by the unit s supervisor or manager. The user is notified by email as to user ID and, separately, regarding a password. 9. What auditing measures/controls and technical safeguards are in place to prevent misuse (e.g., unauthorized browsing) of data? The application maintains both system access and activity logs. Additionally, all users are authenticated using passwords at login and data transactions are transmitted via SSL v.3 and HTTPS protocols. SECTION VI - Privacy Analysis Given the amount and type of data being collected, discuss what privacy risks were identified and how they were mitigated. The likely privacy risk for this data collection is unauthorized or inadvertent disclosure of nonpublic data. The controls in place minimize this risk. Access to the data is controlled via limited access to the MPTS/SCLIntra using logon IDs and passwords. Data transactions are transmitted via SSL v.3 and HTTPS protocols. Although the system is maintained by the vendor, the physical system is located onsite at the SEC. Therefore additional physical controls such as 24 hour guards and limited access to the facilities are in place.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information