Privacy Impact Assessment

August 2008

Page 23

• Name

• Shipping Address (sometimes a home address)

• City

• State

• Zip Code + Four

• Category of the Organization or Affiliation (i.e. State, local, tribal, etc.)

• DHS Affiliation (the component in DHS)

• Other Federal Agencies (i.e. USDA, DOD, etc.)

• Type of Organization or Affiliation (i.e. Emergency Management, Law Enforcement, etc.)

• Current Status in the Organization (Paid Full-time, volunteer, etc.)

• Organization Name

• Organization Address

• Organization City

• Organization State

• Organization Zip Code + Four

• Organization County/Parish

• Tribal Name (if applicable)

• Organizational Local Jurisdiction (if applicable)

• Work Phone

• Home Phone

• Date of Birth

• Course Code

• Email Address

• Exam Answers

1.2 From whom is information collected?

Information is being collected by Federal, State, local, and Tribal emergency management personnel and the general citizenry of the United States who take Independent Study courses from FEMA.

1.3 Why is the information being collected?

The EMI Training Program Home Study Courses System’s will collect and maintain the Independent Study Program’s students’ training completion information necessary for creating and updating student records, tracking completions and failures, and issuing completion certificates. This information will be used to issue college credit for completion of FEMA/EMI IS courses and issue student transcripts.

The Emergency Management Training Program Home Study Courses System also maintains training completion data for the National Incident Management System (NIMS) training courses that are required of all Federal departments and agencies through Homeland Security Presidential Directive 5, “Management of Domestic Incidents”. These courses provide a consistent nationwide template to enable all government, private-sector, and nongovernmental organizations to work together during domestic incidents. Organizations are required to be compliant with NIMS in order to receive NIMS grant funding. The individual student completion data is reported to the State Training Officers (STO) so they can ensure compliance with NIMS as defined by HSPD-5 and HSPD-8.

1.4 What specific legal authorities/arrangements/agreements define the collection of information?

The Independent Study (IS) Program only collects the minimal personally identifying information necessary for processing training course submissions and providing accurate statistical data. The regulations pertaining to the IS Program are presented in the Robert T. Stafford Disaster Relief and Emergency Act, Public Law 106-390, as amended, and the DHS Presidential Directive 5, “Management of Domestic Incidents.” In order to provide training completion data to the State, local, and Tribal emergency management agencies to satisfy their compliance with HSPD‑5 and HSPD-8, it is necessary to collect registration information as well as organizational data, which is usually an individual’s employer. These directives require that Federal preparedness assistance funding for States, Territories, local jurisdictions and Tribal entities be dependent on NIMS compliance. Training is one of the important elements that State, territory, local and Tribal entities must complete in order to become NIMS compliant. The NIMS training courses are a core part of FEMA/EMI’s Independent Study Program. The data collected is entered into a secure government database and all paper submissions are placed in locked storage areas in accordance with records management regulations

In the redesign of our database we are discontinuing the use of the Social Security Number and establishing a unique identifier in its place to significantly reduce the likelihood of identity theft.

5. Privacy Impact Analysis: Given the amount and type of data being collected, discuss what privacy risks were identified and how they were mitigated.

The privacy risks include the collection of Privacy Act protected data. As the database is enhanced, the use of the SSN as the unique identifier in the system will be discontinued and instead a unique identifier such as a randomly generated number and/or allow the user to select a unique user name to be used as their unique identifier. Only shipping address information, which can sometimes be a home address, will be collected on the limited number of people who submit a paper form. Approximately 2% of the total submissions come from individuals where a shipping address could potentially be a home address. A privacy risk was identified in terms of collecting this data electronically. The electronic version of the form will be available at the FEMA/EMI training web site for the Independent Study Program http://training.fema.gov and will encrypt the data as it is sent to the Emergency Management Training Program Home Study Courses System to mitigate the privacy risk.

Section 2.0
Uses of the system and the information

The following questions are intended to delineate clearly the use of information and the accuracy of the data being used.

2.1 Describe all the uses of information.

Similar to Section 1.3, this information is used to maintain student training completion information. The information collected allows FEMA to create and update student records, track completions and failures and issue completion certificates of students who take Independent Study courses. This information is used to issue college credit for completion of FEMA/EMI IS courses and student transcripts which are provided to institutions for assisting students in obtaining continuing education units and/or to military institutions for military personnel to earn retirement points for successful completion of IS courses.

The Emergency Management Training Program Home Study Courses System also maintains training completion data for the National Incident Management System (NIMS) training courses that are required of all Federal departments and agencies through Homeland Security Presidential Directive 5, “Management of Domestic Incidents”. This individual student completion data is reported to our customers, the State Training Officers (STO) in order to ensure compliance with NIMS as defined by HSPD-5 and HSPD-8.

2.2 Does the system analyze data to assist users in identifying previously unknown areas of note, concern, or pattern (Sometimes referred to as data mining)?

No, not applicable.

2.3 How will the information collected from individuals or derived from the system be checked for accuracy?

Individuals will be asked to select from a list of verified, accurate, available organizations to identify their affiliation during course enrollment. If the organization is not listed, they can submit information for the organization to be vetted and added to the list. Students will select from a list the city, state, and zip to prohibit inadvertent errors being entered. Data is also periodically reviewed to merge accounts as appropriate. In addition, the IS staff also corrects information on a daily basis and cleans up records based on student inquiries.

System audit trails within the system will provide the ability to track users that perform the data manipulation actions. Periodically, these trails are queried to ensure that the system is working as designed. If an individual was found to be using the information inappropriately, immediate disciplinary actions would be taken.

2.4 Privacy Impact Analysis: Given the amount and type of information collected, describe any types of controls that may be in place to ensure that information is used in accordance with the above described uses.

FEMA/EMI has limited the amount and type of personal information collected in the Independent Study Program. The IS Program has in place auditing practices to ensure that the information is not used for other purposes. Only authorized users of the system may gain access to the information. If an individual is found to be misusing the information, appropriate disciplinary actions will be taken.

Section 3.0
Retention

The following questions are intended to outline how long information will be retained after the initial collection.

3.1 What is the retention period for the data in the system?

The retention period for the data in the system is 40 years. Database records will be saved with the Independent Study program for 40 years in order to provide complete course transcripts.

3.2 Has the retention schedule been approved by the National Archives and Records Administration (NARA)?

Yes. It is in accordance with FEMA Records Disposition Schedule TNG 11-1.

3.3 Privacy Impact Analysis: Given the purpose of retaining the information, explain why the information is needed for the indicated period.

The information is retained for the indicated period to allow the IS programto provide accurate transcripts for students and to allow records to be restored as needed.

Section 4.0
Internal sharing and disclosure

The following questions are intended to define the scope of sharing within the Department of Homeland Security.

4.1 With which internal organizations is the information shared?

Limited information is shared with FEMA Regional, Headquarters and EMI staff. Information may also be shared with DHS/FEMA Office of Chief Counsel (OCC) and/or Office of the Inspector General (OIG) based on each FEMA internal office’s official role.

4.2 For each organization, what information is shared and for what purpose?

PII including the student’s name, organizational information, training courses completed and dates of completion are shared to FEMA Regional Training Managers, FEMA EMI Course managers, leadership and administration staff and FEMA Cadre Managers. This information is shared with FEMA personnel for the purpose of verifying that the individual has completed Independent Study prerequisite courses prior to classroom training and/or to verify other mandatory training has been completed. It is also used to analyze students’/organizations’ application and enrollment patterns for specific courses and to respond to student inquiries. Information is provided to FEMA’s Office of Chief Counsel (OCC) or the DHS Office of Inspector General (OIG), when necessary for litigation purposes and/or investigations.

4.3 How is the information transmitted or disclosed?

Such information will be viewable by authorized FEMA employees through a web-application as part of the upgrade to the Emergency Management Training Program Home Study Courses System. Specific roles and rights within the system limit the amount and type of information that is viewable to each FEMA role (i.e. FEMA Cadre Manager can only see their cadre member’s completions, etc.). Hard copies of the requested documents would be delivered via fax, mail or courier, as necessary to the OCC or the OIG.

4.4 Privacy Impact Analysis: Given the internal sharing, discuss what privacy risks were identified and how they were mitigated.

The main privacy risk identified is that the system collects the minimum necessary “personally identifying” information under the Privacy Act of 1974, 5 U.S.C. 552a (Privacy Act), which should not be disclosed. This was mitigated by only allowing non-Privacy Act information for users to view, such as name, organizational information, course code, course title, and course completion date. Additionally, information is provided specific to each role that is in the system, allowing users to only view the information they require and not open access to all system information.

Section 5.0
External sharing and disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DHS which includes Federal, state and local government, and the private sector.

5.1 With which external organizations is the information shared?

FEMA/EMI does not share personally identifying information with external agencies other than as outlined in the “Routine Uses” in the SORN and listed under the Privacy Act Statement on FEMA Form 95-23:

• Members of the Board of Visitors

• Sponsoring Colleges

• Sponsoring State or local officials and agencies (including State Training Officers)

• Member of Congress

• Agency training program contractors and computer centers

• Military personnel or training offices

Information may also be shared with the Office of Personnel Management (OPM) for the Enterprise Human Resource Integration (EHRI) government initiative. EHRI is one of the 24 e-Government initiatives designed to support the President's Management Agenda (PMA). OPM's EHRI will support human resources management across the Federal Government at all levels from front-line employee to senior management. When fully implemented, EHRI will replace the current Official Personnel Folder (OPF) with an electronic employee record for all Executive Branch employees, resulting in a comprehensive electronic personnel data repository covering the entire life cycle of Federal employment which includes employee Training. Training Records shared with EHRI would only include records from federal employees. Information provided for EHRI includes information on Federal employees only and includes the following information; unique identifier, course title and course completion date and is provided to comply with OMB and OPM reporting requirements for training data on Federal employees.

Additionally, all students will be able to view their own training records through a web-based application.

5.2 What information is shared and for what purpose?

FEMA/EMI shares only the minimum necessary personally identifying information with external agencies as outlined in the “Routine Uses” in the SORN and listed under the Privacy Act Statement on FEMA Form 95-23. The following information is provided to the entities below along with its purpose:

Members of the Board of Visitors – number of course completions based on course code and state for the specific purpose of evaluating programmatic statistics.

Sponsoring Colleges – student name, address, course code, course title, and completion date to provide college credit for completed courses.

Sponsoring State or local officials and agencies – student name, address, unique identifier, email address, course code, course title, and completion date to update and evaluate statistics of EMI participants.

Member of Congress – student name, address, email address, course code, course title, completions date, or course completions based on course code and state for first party information requests.

Agency training program contractors and computer centers - student name, address, organizational information, unique identifier, email address, course code, course title, completion date, score and answers to perform administrative functions of entering data into the system and responding to student inquiries.

Military personnel or training offices – student name, address, course code, course title, completion date and continuing education units to award military credit for completed courses.

Additional routine uses are listed below. In the update to the SORN, the routine uses will be revised to include the following:

Federal, State, territorial, tribal, local, international, or foreign agency law enforcement authority or other appropriate agency – Where a record, either on its face or in conjunction with other information, indicates a violation or potential violation of law—criminal, civil or regulatory—the relevant records may be referred to any of the aforementioned agencies charged with investigating or prosecuting such a violation or enforcing or implementing such law.

Agency, organization, or individual – for the purposes of performing authorized audit or oversight operations.

Contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for the Federal Government – when necessary to accomplish an agency function related to this system of records.

5.3 How is the information transmitted or disclosed?

Sponsoring state or local officials and agency training program contractors will access the information via a web-based application. Based on roles and rights within the system, they will only be able to access information related to their state or local agency. Security protocols, in accordance with DHS standards will be implemented to prohibit unauthorized personnel from accessing student information. Security protocols including items such as verification of the organization via organizational letterhead and using a unique username and security question to verify individuals’ identity. All transmitted files containing PII will be encrypted to 128-bit Advanced Encryption Standard (AES).

The information for OPM’s EHRI will be sent via a secured XML file.

5.4 Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared?

No, not applicable.

5.5 How is the shared information secured by the recipient?

When information is provided, FEMA/EMI will include a letter to the external agency indicating that FEMA’s Privacy Act records are being provided and indicate that they can only be used for the applicable routine use, and that further disclosure of the records is not permissible.

5.6 What type of training is required for users from agencies outside DHS prior to receiving access to the information?

Not applicable. We will only share this information with external agencies pursuant to the allowable “Routine Uses.”

5.7 Privacy Impact Analysis: Given the external sharing, what privacy risks were identified and describe how they were mitigated.

FEMA/EMI limits the sharing of personal information collected as part of IS Program to external agencies. FEMA/EMI will review the request and determine whether or not it meets the standards set out by the “Routine Uses” and the SORN. The system has specific roles and rights that restriction access to data that is not specific to the individual or agency.

Section 6.0
Notice

The following questions are directed at notice to the individual of the scope of information collected, the right to consent to uses of said information, and the right to decline to provide information.

6.1 Was notice provided to the individual prior to collection of information? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, why not?

Yes. The data collection form contains a Privacy Act notice and the original SORN refers to routine uses. In addition, a Privacy Act notice is given to the individual on the website where the forms are filled out and on the form itself. The link to the Privacy Policy is https://training.fema.gov/EMIWeb/IS/Exams/privacystatement.html. A copy of Privacy Act notice is attached (Appendix C).

6.2 Do individuals have an opportunity and/or right to decline to provide information?

Yes, students can opt-out of providing certain information. As a minimum we must collect, their name and state in which they reside in order for them to receive credit for their training completion. We are now giving the students the option of using a unique identification number as alternative to a social security number. In the upgraded system they will use a unique user name.

6.3 Do individuals have the right to consent to particular uses of the information, and if so, how does the individual exercise the right?

Yes, the individual has the right to consent to particular uses of the information consistent with the routine uses in the SORN and in the Privacy Act Statement. In addition, we will update the SORN and during the public comment period, all individuals have the opportunity to inquire and comment on the uses of the information.

6.4 Privacy Impact Analysis: Given the notice provided to individuals above, describe what privacy risks were identified and how you mitigated them.

Notice is provided at the point of collection of the individual’s PII both in the hardcopy and the online Privacy Act Statement as a link to the privacy policy and is also on the instructions for the actual forms. In addition, routine uses are included in the SORN.

Section 7.0
Individual Access, Redress and Correction

The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.

7.1 What are the procedures which allow individuals to gain access to their own information?

A web-based application will allow individuals to electronically access and view the courses only they have completed. Verification of individuals’ identity is done through the use of a unique username and password. Further validation requires them to answer a security question. If users are unable to access their records electronically, they may follow procedures outlined in FEMA’s and the DHS’s Privacy Act regulations, 44 CFR Part 6 and 6 CFR Part 5. Requests for Privacy Act protected information must be made in writing, and clearly marked as a “Privacy Act Request.” The name of the requester, the nature of the record sought, and the required verification of identity must be clearly indicated. Requests should be sent to: FOIA Officer, Records Management, Federal Emergency Management Agency, Department of Homeland Security, 500 C Street, SW, Washington DC 20472.

7.2 What are the procedures for correcting erroneous information?

The same as above in 7.1. Students can also call or send an email to the IS Program office to request the correction of erroneous information. IS staff (throughout their daily operations and telephonic or e-mail interaction with students) correct and consolidate information as necessary and appropriate. If the student calls or emails, they will be required to provide their user name and answer their security question to verify their identity.

7.3 How are individuals notified of the procedures for correcting their information?

Procedures for correcting information are located on our EMI Contact Us webpage of our website (http://www.training.fema.gov/EMIWeb/contactus.asp). Additionally, individual can follow the procedures identified above in 7.1.

7.4 If no redress is provided, are alternatives available?

Not applicable.

7.5 Privacy Impact Analysis: Given the access and other procedural rights provided for in the Privacy Act of 1974, explain the procedural rights that are provided and, if access, correction and redress rights are not provided please explain why not.

Access to and correction of information is provided through the web-based application as well as procedures outlined in the DHS Privacy Act regulations, 44 CFR Part 6 and 6 CFR Part 5..

Section 8.0
Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

8.1 Which user group(s) will have access to the system?

The user groups with access are students, state or local training officials, FEMA employees, and contractors working for FEMA. Each user will have access to personally identifying information only to the extent necessary to perform their official roles on the system.

A student will have access to only his/her own training record, training plan, and access to courses.

State and local training officials will have limited access to only the individuals included in his/her state or organizational training records and training plan.

FEMA employees, authorized information technology (IT) contractors and IS Program administrative support contractors will have access to Emergency Management Training Program Home Study Courses System (Independent Study Database) only to extent necessary to perform their official duties. Each authorized contractor will have limited access to only that information pertinent to his/her function. Authorized IT contractors who handle the operations and maintenance of the system will have limited access to the system to support the trouble shooting of technical system issues encountered on a day-to-day basis. Authorized program administrative contractors who handle the daily process of paper enrollments and submissions and provide customer service support will have limited access to the system to provide support necessary to answer student inquiries and process exams. Some FEMA EMI staff and IT managers will have complete access to the system in order to ensure that the system is operating appropriately and in accordance with applicable regulations.

Additionally, the DHS Office of the Inspector General may request and be given access to the data, and the DHS/FEMA Office of Chief Counsel may request and be given access to the data to represent DHS/FEMA in personnel employment and litigation matters. Such internal data sharing is discussed in Section 4.0.

8.2 Will contractors to DHS have access to the system? If so, please submit a copy of the contract describing their role to the Privacy Office with this PIA.

Yes. Limited access is described in 8.1 above.

8.3 Does the system use “roles” to assign privileges to users of the system?

Yes. FEMA user access is managed via automated role-based access controls. The user's access into the system is limited only to the extent necessary based upon the user’s official role. Personally identifying information is granted only to the extent that it is necessary for a user to perform his or her official role. User roles are outlined as follows:

Student—only permits access to their individual student record information.

Jurisdictional Point of Contact and Organizational Point of Contact—only have rights to view employees’ completions within their jurisdiction or organization. Jurisdictional and Organizational Points of Contact will go through a vetting process whereby they must submit an official request to be listed as an organization or jurisdiction on their organization/jurisdiction’s letter.

State Training Officer—only has rights to view their state completion records. EMI currently maintains a list of State Training Officers that is updated daily and validated every year to ensure the appropriate STO is listed in the database.

Cadre Manager - only has rights to view their cadre’s completion records. EMI maintains a list of FEMA Cadre Managers.Leadership, Leadership Admin Assistant, Scheduler, and Course Manager – only have limited rights specific to the sections of the data that relate to their official positions.

IS Program Manager, Key Entry Operator, Customer Service Representative and DL Section Support – have access to student records and functions required to manage daily interactions with students.

Systems Administrators—allowed full access to the data for system backup and to troubleshoot any system issues.

8.4 What procedures are in place to determine which users may access the system and are they documented?

For users with roles other than “student”, they are vetted by the IS Contracting Officer’s Technical Representative (COTR) or the Independent Study Program administrative support personnel based on the user’s official role and duties as they relate to the Independent Study Program and access is limited to the extent necessary.

Technical, operational and management controls are in place allowing authorized users access only to the personal data necessary for each user’s official role and their required use of data. There are several roles within the system. These roles limit which rights and access people have in the system. Specific user roles are described in section 8.3 above.

The procedures will be documented in the Independent Study Program Standard Operating Procedures Manual which is scheduled to be updated by May 2009.

8.5 How are the actual assignments of roles and rules verified according to established security and auditing procedures?

Management controls will include periodic auditing of the system that will be donein accordance with DHS System Security guidelines as established in the 4300 guidelines, as well as following current FEMA policies and procedures. Roles and rules established within the application are governed by local system administrators and auditing of all user accounts is defined in the system requirements.

8.6 What auditing measures and technical safeguards are in place to prevent misuse of data?

The following controls are in place to prevent data misuse:

• Each authorized individual will have access to only that information pertinent to him/her.

• Activity logs (audit trails) are enabled and secured on the system and a periodic review will be conducted to monitor all user access.

• Procedures for the handling and storage of information are established to restrict access to unauthorized users.

8.7 Describe what privacy training is provided to users either generally or specifically relevant to the functionality of the program or system?

All FEMA employees are required to complete FEMA Annual Security Awareness Training, which addresses privacy and confidentiality awareness. In addition, all contract employees are required to adhere to the Privacy Act/Confidentially clauses as per terms of their contracts with FEMA.

8.8 Is the data secured in accordance with FISMA requirements? If yes, when was Certification & Accreditation last completed?

This system is currently under the C&A of another system, the FEMA Employee Knowledge Center (FEKC). When the Emergency Management Training Program Home Study Courses System (Independent Study Database) was placed under the FEKC, IT Cyber Security indicated that minor systems and sub-systems did not require a full C&A. A full Certificate and Accreditation of the upgraded system is being conducted since many enhancements have been made.

8.9 Privacy Impact Analysis: Given access and security controls, what privacy risks were identified and describe how they were mitigated.

FEMA/EMI has instituted strong security controls to ensure that the online collection of the Independent Study information is protected throughout the process. This includes extensive access controls and audit trails. The major privacy risk that was identified was the limited personally identifying information on students could be viewed by others. This was mitigated by implementing limitations on roles to only allow those with an official role and need to view certain data. In addition, verifying individuals are who they say they are was a concern. In order to address this issue, students are required to use strong passwords on their accounts and set up security questions and answers. This helps verify the students’ identity when calling or emailing for assistance from our Customer Service Representatives. Additionally, the transfer of any PII data will be protected through a Secure Socket Layer with 128 bit encryption.

Section 9.0
Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics and other technology.

9.1 Was the system built from the ground up or purchased and installed?

FEMA/EMI followed industry best practices and built the system from the ground up to replace a legacy system.

9.2 Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system.

The data resides on a server that is only accessible to authorized users. Access is further protected through authentication for the application, using a login and password. FEMA/EMI determined how the upgrade to the Emergency Management Training Program Home Study Courses System (Independent Study Database) would be selected by conducting a thorough requirements analysis and design – including integrity, privacy, and security considerations for the entire system. The analysis showed the need for several distinct roles to be developed in order to limit the amount of PII that would be available to certain roles. It also showed that we could eliminate certain PII currently being collected, such as the SSN, by changing current business processes. FEMA considered the protection of individual’s privacy when designing and building the system.

9.3 What design choices were made to enhance privacy?

In the redesign of the system, the use of the SSN as the unique identifier was eliminated to enhance privacy. The student could potentially use their SSN as their user name in the upgraded system, but it is not required and would not be recommended in order to limit the privacy data collected. In addition, unnecessary personally identifying information has been eliminated in the collection and display of student records and limited information is provided to data based strictly on users’ official roles.

Conclusion

The Emergency Management Institute (EMI) of the Federal Emergency Management Agency (FEMA), Department of Homeland Security (DHS), maintains an Independent Study database, the Emergency Management Training Program Home Study Courses System. This system collects and maintains student training completion information for the FEMA Independent Study program. FEMA’s Independent Study program enables individuals from local, tribal, state, federal agencies, and the general public to take various types of distance learning courses on an electronic platform. These courses cover various emergency management concepts. The information collected is used to create and update student records, track completions and failures, and issue completion certificates. Tracking training information is necessary to provide training completion data to the State, local, and Tribal emergency management agencies to satisfy their compliance with Homeland Security Presidential Directive‑5, “Management of Domestic Incidents and Homeland Security Presidential Directive-8, “National Preparedness”. This is a legacy electronic system that existed prior to 1990 (pre E-Government Act) and is being updated to implement improvements. A System of Records Notice (SORN) was published for this information collection on September 1990, volume 55, number 174, Page 37195. An update to the System of Records is in process.

Improvements to the system will include the collection of organizational information to limit the amount of personally identifying information in the system. Only the minimum necessary personally identifying information under the Privacy Act of 1974, 5 U.S.C. 552a (Privacy Act) will be collected. In addition, enhancements include system safeguards and the FEMA Independent Study Program will provide unique statistical data that will allow training officials to better meet their National Incident Management System (NIMS) compliancy.

The system was built from the ground up and was designed to replace a legacy system. It uses industry-standard best practices currently available.

The program was designed with privacy considerations in mind. Such considerations include eliminating the use of the Social Security Number, implementing security questions and passwords to verify individuals, and limiting information provided to internal and external organizations listed in our Routine Uses. Additionally encryption via a Secure Socket Layer will be implemented when sharing any PII> By collecting only the necessary individually identifying information and providing access to training records online, FEMA/EMI will be able to better support the needs of the Independent Study Program students and state and local training officials. This will enhance the accuracy and efficiency in the Independent Study Program, as well as allow the nation’s emergency management network the ability to easily access NIMS training compliance information and meet its mission-critical training objectives.

Responsible Officials

John A. Sharetts-Sullivan

Privacy Officer

Federal Emergency Management Agency

Department of Homeland Security

Approval Signature Page

________________________________ <<Sign

Hugo Teufel III

Chief Privacy Officer

Department of Homeland Security

FEMA EMI Emergency Management Training Program Home Study Courses System – PIA Page 23 of 21