Privacy Impact Assessment

NATIONAL SECURITY EDUCATION PROGRAM (NSEP)
PRIVACY IMPACT ASSESSMENT (PIA)
for the
NATIONAL LANGUAGE SERVICE CORPS (NLSC) PILOT
11 April 2008

Prepared by: Robert O. Slater, PhD
Director, National Security Education Program

Introduction
The E-Government Act of 2002 (Public Law 107-347,44 U.S.C., CH 46) requires all
Federal government agencies to conduct Privacy Impact Assessments (PIA) for all new
or substantially changed technology that collects, maintains, or disseminates personally
identifiable information.
The Office of Management and Budget (OMB) Memorandum 03-22, Guidance for
Implementing the Privacy Provisions of the E-Government Act of 2002 (dated 26 Sep
03), Department of Defense (DoD) Privacy Impact Assessment (PIA) Guidance
Memorandum on Publishing Impact Assessments provides information to agencies and
the DoD on Implementing the provisions.

E-Government Act Section 208 Implementation Guidance
A PIA is a process for determining the risks and effects of collecting, maintaining, and
disseminating information in identifiable form in an electronic information system, and
for identifying and evaluating protections and alternative processes to mitigate the impact
to privacy of collecting information in identifiable form.
The E-Government Act requires that agencies conduct a PIA before (i) developing or
procuring information technology that collects, maintains, or disseminates information
that is in an identifiable form or (ii) initiating a new electronic collection of information
that will be collected from ten or more persons, other than agencies, instrumentalities, or
employees of the Federal Government, and will be maintained, or disseminated in an
identifiable form, using information technology.
PIAs are conducted to ensure that there is no collection, storage, access, use, or
dissemination of identifiable information from or about members of the general public
and businesses that is not needed or authorized, and that identifiable information that is
collected is adequately protected. PIAs may address issues relating to the integrity and
availability of data handled by a system, to the extent these issues are not already
adequately addressed in a System Security Plan.

Definitions:
Information in identifiable form: Information in an IT system or online collection: (i)
that directly identifies an individual (e.g., name, address, social security number or other
identifying number or code, telephone number, email address, etc.) or (ii) by which an
agency intends to identify specific individuals in conjunction with other data elements,
i.e., indirect identification. (These data elements may include a combination of gender,
race, birth date, geographic indicator, and other descriptors).
Information technology (IT): As defined in the Clinger-Cohen Act, any equipment,
software or interconnected system or subsystem that is used in the automatic acquisition,
storage, manipulation, management, movement, control, display, switching, interchange,
transmission, or reception of data or information.

1

NATIONAL LANGUAGE SERVICE CORPS PILOT PRIVACY IMPACT
ASSESSMENT (PIA)
1.

Department of Defense (DoD) Component: National Security Education
Program (NSEP), Defense Human Resources Activity (DHRA), Under
Secretary of Defense for Personnel and Readiness.

2.

Name of Information Technology (IT) System: Operations Support System
for the National Language Service Corps (NLSC) Pilot.

3.

Budget System Identification Number (SNAP-IT Initiative Number):
[TBD]

4.

System Identification Number(s) (IT Registry/Defense IT Portfolio
Repository (DITPR)): [TBD]

5.

IT Investment (OMB Circular A-11) Unique Identifier (if applicable):
[TBD]

6.

Privacy Act System of Records Notice Identifier (if applicable): DHRA
05. The System of Records Notice (SORN) is being developed in parallel to
this PIA.

7.

OMB Information Collection Requirement Number (if applicable) and
Expiration Date: The OMB information collection requirement number is
being applied for and will be placed in this section upon OMB approval.

8.

Type of authority to collect information (statutory or otherwise): 5 U.S.C.
301, Departmental Regulations; 10 U.S.C. 131, Office of the Secretary of
Defense; DoD Directive 5124.2, Under Secretary of Defense for Personnel
and Readiness; 50 U.S.C 403-1b, War and National Defense; Public Law 109364, Sec. 944, Administration of pilot project on Civilian Linguist Reserve
Corps; and Public Law 108-487, Sec. 613, Pilot Project on Civilian Linguist
Reserve Corps.

9.

Provide a brief summary or overview of the IT system (activity/purpose,
present life-cycle phase, system owner, system boundaries and
interconnections, location of system and components, and system
backup): The Operations Support System for the NLSC Pilot is a web-based
portal to allow U.S. citizens with language and special skills to self-identify
these skills for the purpose of temporary employment on an intermittent work
schedule or service opportunities in the federal or state government during
periods of national need or emergency. The information will be used to
identify and contact NLSC Charter Members and prospective Charter
Members in times of need. The collection will allow preliminary background
checks prior to any final appointment in the NLSC of only those individuals

2

the NLSC expects to employ temporarily during the Pilot Program.
Background checks are not expected for the remaining Charter Members. The
system owner is the Director, National Security Education Program, 1101
Wilson Blvd., Suite 1210, Arlington, VA 22209-2248. The system physically
resides at American Data Technology, Inc., PO Box 12892, Research Triangle
Park, NC 27709.
10.

Describe what information in identifiable form will be collected and the
nature and source of the information (e.g., names, social security
numbers, gender, race, other component IT systems, IT systems from
agencies outside DoD, etc.): The information collected is from individuals to
support the mission of the NLSC Pilot. The categories of information
collected are: Full name; address, city; state; zip code; and where available email address; telephone number; education level; foreign language(s) spoken,
foreign language proficiency levels, and English proficiency levels. Upon
submission of completed forms, a unique identifier will be assigned to each
participant in this program in lieu of using SSN.

11.

Describe how the information will be collected (e.g., via the Web, via
paper-based collection, etc): Information will be collected from individuals
via paper-based collection and via Internet portal.

12.

Describe the requirement and why the information is identifiable form is
to be collected: The mission of the NLSC Pilot is to provide and maintain a
readily available civilian corps of certified volunteers in languages determined
to be important to the security and welfare of the nation. The NLSC is
established as a Pilot program that, upon becoming fully operational, will fill
any gaps that may exist between federal and state requirements and available
language skills, providing the capabilities for meeting short-, mid-, and longterm requirements through the identification and warehousing of expertise and
skills in current and potential critical languages. These language capabilities
serve the broader interests of the Federal departments and their agencies as
well as needs of the States.

13.

Describe how the information in identifiable form will be used (e.g., to
discharge a statutory mandate, to execute a Component program, etc.):
The NLSC Pilot maintains a readily available roster of volunteers with
certified language skills that are available in time of war, national emergency,
or other national needs.

14.

Describe whether the system derives or creates new data about
individuals through aggregation: The Operations Support System for the
NLSC Pilot does not derive or create new data about individuals through
aggregation.

3

15.

Describe with whom the information in identifiable form will be shared,
both within the Component and outside the Component (e.g., other DoD
Components, Federal agencies, etc.): The information will only be shared
within the National Language Service Corps by program personnel who
require the records in the performance of their official duties.

16.

Describe any opportunities individuals will have to object to the collection
of information in identifiable form about themselves or to consent to the
specific uses of the information in identifiable form. Where consent is to
be obtained, describe the process regarding how the individual is to grant
consent.
Individuals provide information voluntarily. Disclosure is printed on DD
Forms X558, X559, X560, X561; however, failure to provide information
may result in non-enrollment in the NLSC Pilot, and refusal to grant access to
Charter Member areas of the Operations Support System for the NLSC Pilot.

17.

Describe any information that is provided to an individual and the format
of such information (Privacy Act Statement, Privacy Advisory) as well as
the means of delivery (e.g., written, electronic, etc.), regarding the
determination to collect the information in identifiable form.
Privacy Act Statements, as required by 5 U.S.C. 552a(e)(3), are printed on DD
Form X558, X559, X560, X561, and provided at the collection point. The
statement provides the following: collection purpose, authorities, external
uses, nature of the program, the name and number of the Privacy Act System
of Records Notice governing the collection, and an electronic link to the
system notice. The statement is included on paper and electronic collection
forms.

18.

Describe the administrative/business, physical, and technical processes
and controls adopted to secure, protect, and preserve the confidentiality
of the information in identifiable form.
Access to personal information is restricted to NLSC personnel who require
the records in the performance of their official duties. Access to personal
information is further restricted by the use of passwords that are changed
periodically. Physical entry is restricted by the use of locks, guards, and
administrative procedures.

19.

Identify where the IT system or collection of information will require a
System of Records notice as defined by the Privacy Act of 1974 and as
implemented by DoD Directive 5400.11, “DoD Privacy Program,”
November 11, 2004. If so, and a System Notice has been published in the
Federal Register, the Privacy Act System of Records Identifier must be

4

listed in Question 6 above. If not yet published, state when publication of
notice will occur.
The System of Records Notice is currently being developed and will be
published upon approval of the OSD/JS Privacy Office.
20.

Describe/evaluate any potential privacy risks regarding the collection,
use, and sharing of the information in identifiable form.
Describe/evaluate any privacy risks in providing individuals an
opportunity to object/consent or in notifying individuals.
Describe/evaluate further any risks posed by the adopted security
measures.
The security features of the NLSC Pilot provide a level of protection that
meets or exceeds the minimal requirements of DoD Directives 5400.11 and
8500.01E. The concept of identification and authentication "layered
protection" is used to keep unauthorized users out of the Operations Support
System for the NLSC Pilot. All personnel granted access must participate in a
security training and awareness program. This program consists of both initial
security training and annual refresher training.
THREATS: Access, storage and transmission of information protected under
the Privacy Act of 1974 are subject to threats, including, but not limited to:
malware, sniffing, spoofing, and physical assault, as well as various natural
disasters and failures which impact either the protected infrastructure or the
services upon which the infrastructure depends. All of these imperil, to one
extent or another, information availability, integrity, and confidentiality
DANGERS: Individuals provide information voluntarily. There are no
known dangers in providing notice of the collection or allowing an individual
to object/consent. Therefore, individuals are given this opportunity at time of
data collection via a Privacy Act Statement. Individuals are free to raise
objections if new threats are perceived.

5

RISK

Unauthorized
disclosure of
recruitment and
employment
information on the
ability to market and
hire personnel.

Unauthorized
modification or
destruction of
information for
recruitment and
employment.

MITIGATION

Paper and electronic
media containing
information is restricted
to those who require the
data in the performance
of their official duties.
Access to information is
further restricted by the
use of passwords that
are changed
periodically. Physical
entry is restricted by the
use of locks, guards, and
administrative
procedures.
In most cases,
unauthorized disclosure
of staff recruitment and
employment information
will have only a limited
adverse effect on NLSC
Pilot operations, assets,
or individuals.
Periodic assessment of
security controls related
to modification or
destruction of
information are
performed.
Although there can be
serious short-term
effects for individuals,
the effects of
modification or deletion
of staff recruitment and
employment information
are generally limited
with respect to NLSC
Pilot capabilities or
assets.

6

ASSESSMENT
(HIGH, MEDIUM,
LOW)
LOW

LOW

21.

RISK

MITIGATION

Delay in recruitment
and employment due to
the availability of the
data supporting the
NLSC Pilot.

Data is maintained in
paper and electronic
media. The NLSC Pilot
is designed to mature
the effectiveness of staff
recruitment and
employment processes.
Reasonable delays are
tolerable.

ASSESSMENT
(HIGH, MEDIUM,
LOW)
LOW

State classification of information/system and whether the PIA should be
published or not. If not, provide rationale. If a PIA is planned for
publication, state whether it will be published in full or summary form.
The NLSC Pilot security classification is Low as determined from analysis of
NLSC Pilot business activities and mapping of types of information and
information systems to security categories — Staff Recruitment and
Employment Information Type – in the NIST SP 800-60 Volume II. The PIA
should be published in full.

7