Privacy Impact Assessment (PIA)

EDGAR PIA_Redacted.pdf

Form S-1 Registration Statement

Privacy Impact Assessment (PIA)

OMB: 3235-0065

Document [pdf]
Download: pdf | pdf
US Securities and Exchange Commission
Office ofInformation Technology
Alexandria, VA


Electronic Data Gathering, Analysis, and Retrieval System 


August 6, 2008 

Office of Information Technology 

EDGAR Program Office 

Electronic Data Gathering, Analysis, and Retrieval System (EDGAR) PIA

Project Manager/ System Owner(s)
Title: Assistant Director, EDGAR Program Office
Title: Organization: Office of Information Technology

System Owner(s)
Title: Acting Chief Information Officer
Organization: Office of Information Technology

GENERAL INFORMATION - Project/System Information
1. 	 Name of Project or System.
EDGAR- Electronic Data Gathering, Analysis, and Retrieval System
2. 	 Description of Project or System.
EDGAR is the SEC's electronic filing system. EDGAR performs automated collection,
validation, indexing, acceptance, and dissemination of submissions by companies and
individuals. These submissions are required by federal securities laws' regulations and are
released for public disclosure.
3. 	 What is the purpose of the Project or System?
EDGAR provides an automated method of collecting and disseminating submission data.
The automation offers increased efficiency and speed which benefits investors, the
Commission, and filers. The application is integral to the SEC's mission of full disclosure
and to promote capital formation. It allows the Commission to easily review submission
data and speeds delivery to the public of time-sensitive corporate and investment company
information. Data is also collected from investment companies to ensure disclosure in
accordance with SEC rule and form requirements and compliance with securities laws and
regulations. Data collected from institutional investment managers discloses holdings of
those managers.
4. 	 Requested Operational Date?
1988 (This PIA is to document a preexisting system)
5. 	 System of Records Notice (SORN) number?
Documents and filings made via EDGAR are covered by SEC 1- SEC-8.
6. 	 Is this an Exhibit 300 project or system? Yes.
7. 	 What specific legal authorities, arrangements, and/or agreements require the collection ofthis
information? The Securities Act of 1933, The Securities Exchange Act of 1934, the Trust
Indenture Act of 1939, the Investment Company Act of 1940, and the electronic filing rules
and regulations under these Acts and Regulation S-T.


Electronic Data Gathering, Analysis, and Retrieval System (EDGAR) PIA

SECTION I- Data in the System
1. 	 What data is to be collected?
There are many rules written concerning the data to be collected in the various submission
types found in Template 1, Template 2 and Template 3. (See attached). A copy of each form
is available on the SEC Public Site via the Forms List (PDF Version). In addition, data
collected on Ownership Submission Types include Name, Phone Number, E-mail, and
Mailing Address. Filer data is also collected online and includes name, address information,
phone number, email address, tax payer ID number, state of incorporation, and fiscal year
2. 	 What are the sources of the data? The data source is information obtained from Filers (both
companies and individuals), filing agents, training agents, transfer agents, securities
exchanges, and broker/dealers. Third Parties, usually filing agents or law firms, may file on
behalf of companies or individuals when authorized by the EDGAR filers. These parties
send their documents to the Commission through EDGAR
3. 	 Why is the data being collected?
Filers submit documents to fulfill their obligations under the federal securities regulations.
The SEC staff uses EDGAR to ensure that the documents provided by the companies meet
disclosure requirements in that they provide investors with material information with regard
to disclosure and financial condition of the company and offerings of securities to public
investors. Data collected from broker dealers and transfer agents allow the Commission staff
to ensure compliance with business practices prescribed by regulation. The data collected
can then be utilized by the public to make investment decisions.
4. 	 What technologies will be used to collect the data?
On-line and off-line data entry applications through the Internet.
5. 	 Does a personal identifier retrieve the data? Yes. EDGAR uses a unique identifier for both
companies and individuals called an identifier Central Index Key. That key is not mapped to
any other unique identifier. The key is a public number.

SECTION II- Attributes of the Data (use and accuracy)
1. 	 Describe the uses of the data.
The data is used by SEC staff to perform reviews of disclosure documents submitted to the
SEC. The data is also used by the general public to facilitate informed investment decision­
2. 	 Does the system analyze data to assist users in identifying previously unknown areas of
note, concern or pattern. The system provides information intended to facilitate informed
investment decision making by users of the data .


Electronic Data Gathering, Analysis, and Retrieval System (EDGAR) PIA

3. How will the data collected from individuals or derived by the system be checked for
accuracy? There are many checks in the system to validate the information. Some of the data
is examined by SEC staff, however, it is the filer's responsibility to ensure accuracy of the

SECTION III - Sharing Practices
1. 	 Will the data be shared with any internal or external organizations? Yes.
EDGAR is an enterprise system- the data is shared amongst all SEC internal organizations.
The data that is collected as public data is disseminated.
2. 	 How is the data transmitted or disclosed to the internal or external organization?
The data is transmitted to the internal organizations through the workstation application,
through database replication, and through other applications. It is transmitted electronically
to the SEC's Public site through the SEC's network and to disseminators through the Internet
and dedicated telecommunications lines.
3. 	 How is the shared data secured by external recipients? Since the data is in the public domain
and widely distributed, the need for security is limited. Each
individual or subscriber
determines their own internal procedures for securing the data l:lVailable on their site.

SECTION IV- Notice to Individuals to Decline/Consent Use

1. 	 Was notice provided to the different individuals prior to collection of data? Notice was
provided to individuals via a Privacy Act Statement found on the various forms utilized for
submission of the data.
2. 	 Do individuals have the opportunity and/or right to decline to provide data? Yes
Information obtained from filers is based on the requirements of federal securities laws. To
fulfill those requirements, filers must submit data and as such it is not optional. Personal and
privacy act data is not collected from filers. Also, certain personal information such as
address and telephone information can be limited as long as the Commission has enough
information to identify and contact the filer as required.
3. Do individuals have the right to consent to particular uses of the data? Yes

SECTION V- Access to Data (administrative and technological controls)
1. 	 Has the retention schedule been established by the Records Officer? If so, what is the
retention period for the data in the system? Yes. The retention schedule is commensurate
with the System of Records Notice applicable to the filing type. (See SEC 1-SEC-8)
2. 	 What are the procedures for identification and disposition of the data at the end of the
retention period? The procedures for identification and disposition of the data are
commensurate with the System ofRecords Notice applicable to the filing type. (See SEC 1­


Electronic Data Gathering, Analysis, and Retrieval System (EDGAR) PIA
3. 	 Describe the privacy training provided to users, either generally or specifically relevant to the
program or system? Training is provided by the Privacy Office thru General Privacy
Awareness Training, which all SEC employees must complete yearly. Training is also
provided by Filer Technical Support on EDGAR functionality.
4. 	 Will SEC contractors have access to the system? Yes
5. 	 Is the data secured in accordance with FISMA requirements?
-If NO, answer questions 6-9 below.
-If YES, provide date that the Certification & Accreditation was completed.
Yes. EDGAR was recertified and reaccredited on Nov 19, 2007.
6. 	 Which user group(s) will have access to the system?
Filers, filing agents, SEC staff, contractors on behalf of SEC staff, training agents,
disseminators, individuals, and third party filers.
7. 	 How is access to the data by a user determined? Are procedures documented?
Division and Offices control user access. The procedures are established and documented by
the Divisions and Offices.
8. 	 How are the actual assignments of roles and rules verified according to established security
and auditing procedures? Division offices control user access. The procedures are owned by
the various SEC Divisions. The assignment of roles are verified by the EDGAR program
9. 	 What auditing measures/controls and technical safeguards are in place to prevent misuse (e.g.,
unauthorized browsing) of data?
Application level controls, physical controls, database level controls, network level controls,
auditing, etc.
SECTION VI - Privacy Analysis
Given the amount and type of data being collected, discuss what privacy risks were identified
and how they were mitigated.
A privacy risk was identified as it related to registrants who may inadvertly provide personal
information in public filings that could possibly lead to identity theft. In order to mitigate
possible risks various rules were amended to include language requesting that filers not submit
such information, and internal technological controls were put in place to assist in the
identification of such risks in filings received and posted to the SEC website.


File Typeapplication/pdf
File Modified2014-10-06
File Created2011-07-08

© 2024 | Privacy Policy