U.S. DEPARTMENT OF
HOUSING AND URBAN DEVELOPMENT
INITIAL PRIVACY ASSESSMENT (IPA)
National Disaster Recover Competition –
Disaster Recovery and Reporting System
(DRGR-C08A)
[Community Planning and Development]
What is an Initial Privacy Assessment?
An Initial Privacy Assessment (IPA) is designed to assess whether a Privacy Impact Assessment (PIA), a Privacy Act system of records notice (SORN), and/or other related privacy documents are required. The responses to the IPA will provide a foundation for both a PIA and a SORN should either or both be required, and will also help to identify any policy concerns.
The IPA incorporates the matters previously addressed in the Department’s Privacy Identifiable Information (PII) Survey, and thus replaces the survey.
When should an IPA be completed?
An IPA should be completed during the system’s design phase, whether the system is electronic or contains only records in paper form, and should be completed before commencement of any testing or pilot project of an information system. Additionally, an IPA should be completed any time there is a change to the information system to determine whether there are any privacy issues as a result of such a change.
Who should complete the IPA?
The IPA should be written and reviewed by a combination of the component’s (e.g., Privacy Act Officer, System Owner, Project Leaders), and the program-specific office responsible for the system.
How is the IPA related to the Capital Planning and Certification and Accreditation process?
Upon completion and approval of the IPA by the Privacy Officer the official document may be uploaded into the C&A tool, and provided as part of the IT Capital Planning process as validation of the completed evaluation. The completed IPA demonstrates that the program components have consciously considered privacy and related requirements as part of the overall system design. For an IT system that does not require a C&A, such as a minor application that runs on a system that does require a C&A, an IPA still should be completed to determine if other related privacy documentation are required for that system or project.
Where should the completed IPA be sent?
A copy of the completed IPA should be sent to the Office of Privacy via email to [email protected] and [email protected]. The Privacy Officer will review the IPA and determine what additional privacy documentation is required, and then will advise the Program component accordingly.
Initial Privacy Assessment
INFORMATION ABOUT THE PROJECT/SYSTEM
Date submitted for review: XXXX |
|
|
Project Name/Acronym: Disaster Recovery Reporting System (DRGR) |
|
|
System Owner/Contact Information: Jessie Handforth Kome, 202-402-5539 |
|
|
Project Leader/Contact Information: James Stansell, 202-402-2158 CPD ISS0/Contact Information: Sam Walker, 202-402-3883
|
|
|
|
Paper-Only |
|
|
Combination of Paper and Electronic |
|
|
Electronic-Only |
|
|
Other: Please describe the type of project including paper based Privacy Act System of Records |
|
* Note: For this form purpose, there is no distinction made between technologies/ systems managed by contractors. All technologies/systems should be initially reviewed for potential privacy impact.
Provide a general description of the system or project that describes: (a) the functionality of the system and the purpose that the records and/or system serve; (b) who has access to information in the system; (c) how information in the system is retrieved by the user; (d) how information is transmitted to and from the system; and (e) interconnections with other systems.
DRGR is a web-based system used to electronically administer several HUD grant programs including Community Development Block Grant – Disaster Recovery (CDBG-DR, CDBG-National Disaster Resiliency Competition (CDBG-NDR; NDRC) awards, OneCPD Technical Assistance (OneCPD-TA), Neighborhood Stabilization Program Technical Assistance (NSP-TA), Rural Innovation Fund (RIF) and the Neighborhood Stabilization Programs (NSP1, NSP2 and NSP3). Grantees use DRGR to specify disaster impact, identify needs, develop action plans, propose activities, draw grant funds (via LOCCS interface), and report on accomplishments. HUD uses DRGR to track immediate and long-term grantee progress, approve draws, monitor funds, and ensure compliance with requirements specific to each grant. Information is transmitted to the DRGR system using the internet via a browser on the user’s PC or laptop. The DRGR system interfaces with the Line of Credit Control System (LOCCS).
Have the IPA been reviewed and approved by the Departmental Privacy Officer
|
YES |
|
NO (Please contact component privacy official before submitting official IPA.) |
Status of System or Project
|
This is a new system or project in development |
Specify expected production date: Do not complete Section II.
|
This is an existing system or project. |
After completing Section I, complete Section II.
System or project personal identifiers/sensitive information
YES |
NO |
Does the system or project collect, maintain use or disseminate other personal identifiers/ sensitive information (i.e., name, home address, home telephone number, date of birth, gender status, income/financial data. employment, medical history, criminal record, etc.)? |
|
|
If yes, briefly describe the types of information about individuals in the system.
Some grant program policies for programs such as NSP require that state/local and other organizations receiving grants enter addresses for single-family properties that receive funds for construction and repair, and homeownership assistance, but these records do not include the name or other personal identifying information of any persons residing at these properties.
To create new user accounts for grantees or HUD staff, we ask for their name and office address, phone # and email address.
Does the information about individuals identify particular individuals (i.e., is the information linked or linkable to specific individuals, often referred to as personally identifiable information?)
|
YES |
|
NO (If no, indicate below how the information is not identifiable to specific individuals. |
Does the personally identifiable information in the system pertain only to government employees, contractors, or consultants?
|
YES (If yes, specify individual type.) ___________________________________ |
|
NO (If no, indicate below how the information is not identifiable to specific individuals. |
Is there an existing Privacy Act System of Records Notice (SORN) that has been published in the Federal Register to cover the system? (Please consult with the component’s Privacy Act Officer if assistance is needed in responding to this question.)
|
YES |
|
NO |
SSN usage
YES |
NO |
Do the project or system collect, maintain, use, or disseminate Social Security Numbers (SSNs)? (This includes truncated SSNs) |
|
|
If yes, please provide the purpose/legal authority authorizing the solicitation of SSNs:
Is there a Certification & Accreditation record for your system?
|
YES (If yes, indicate the following :) |
|
||||||||
Confidentiality |
|
Low |
|
Moderate |
|
High |
|
Undefined |
||
Integrity |
|
Low |
|
Moderate |
|
High |
|
Undefined |
||
Availability |
|
Low |
|
Moderate |
|
High |
|
Undefined |
||
|
NO (If no, please identify the FISMA-reported system whose C&A covers this system.) |
|
||||||||
|
DO NOT KNOW |
|
||||||||
II. EXISTING SYSTEM OR PROJECT
When was the system developed? The DRGR system was developed in 1992 for HUD grantees following Hurricane Andrew to submit plans on projected use of funds and to provide subsequent progress/performance reports.
If an existing system, has the system undergone any changes since April 17, 2003?
|
YES (If yes, explain the nature of those changes and proceed to Question 3.) Significant changes to the DRGR system have been implemented. Below is a table summarizing all releases with major functionality changes since 2003:
|
|
Release # |
Release Date |
Business Benefits |
LOCCS Integration |
Release 6.3 |
9-Jan |
Integration of DRGR with LOCCS for purposes of drawing down grants. Users track grant and program income disbursements to other organization at the activity level through a drawdown module instead of self-reporting and making draws at the grant/program level. This removes the need for reconciliation between systems. |
Microstrategy / |
Release 6.4 |
9-Jul |
Allows HUD users and grantee users to extract DRGR data in Microstrategy to compare to grantee data systems and to also examine patterns in data needed for program compliance reviews and data correction. |
Single Sign on |
|||
Grantee Oversight Activities: Monitoring, Audit, Technical Assistance |
Release 6.5 |
10-Apr |
Permits remote review of grantee oversight activities used to prevent fraud, waste, and abuse. Grantees enter data on compliance reviews made of other organizations funded under CPD grant programs in DRGR and organizations that receive technical assistance from the grantees. HUD staff can review the data remotely to assess risk and identify need for HUD monitoring and technical assistance. |
Beneficiary Data: Census Data Lookup Tables and Race/Ethnicity Data Entry |
Release 7.0 |
10-Sep |
DRGR added census data lookup and calculation screens in Action Plan, DRGR also added Race/Ethnicity data entry screens for FHEO in QPR. Both types of screens permit remote review of data for purposes of risk assessment and HUD compliance monitoring. Release also included new user certification screens based on OIG findings in 2009-DP-0007. Re-certifications required each six months. |
User Certification Screens |
|||
Improved Financial Management of Program Income |
|
11-Dec |
Grantees are required to spend program income (funds generated from grant programs) before drawing down additional grant funds. This release improved management of program income by providing receipt screens instead of quarterly reports of program income disbursed and used available balance calculations to enforce requirements to disburse program income funds before grant funds based on applicable program regulations and notices. The release included enhanced audit trail/data change history files based on OIG findings in 2011-DP-0008 |
Release 7.3 |
|||
Customization of Screens for |
Release 7.4 – Release 7.6 |
Apr-12 to Nov-12 |
Customization of TA request and workplan screens to improve oversight of TA programs. The release will allow for processing of TA requests, TA workplans, invoices, and payments within DRGR rather than depending on external distribution of documents for management of TA engagements. The release will include remaining audit trail/data change history items from OIG findings in 2011-DP-0008 |
Technical Assistance (TA)Programs |
|||
Improved Function and Data Upload |
Release 7.7 |
October 4, 2013 |
New functions for reporting Program Income and Affordability Periods for addresses under closed grants in the NSP Programs. Additional new data upload functions for setting up vouchers and creating QPR activity profiles. |
Expanded Data Upload Capability; Grant Closeout Checklists Added |
Release 7.8 |
Dec. 13, 2013 |
Expanded the data upload capabilities of DRGR and also added checklists into the system for Grant Closeout, Action Plans and QPRs. |
New User Roles and Enhanced Data Upload |
Release 7.9 |
March 7, 2014 |
Changed who has the ability to submit QPRs and Action Plans by adding new roles to be requested in addition existing user roles. Microstrategy upgrade. Enhanced uploading functions. Drawdown users enabled to classify returned funds to be either applicant to the Line of Credit or not (returned to the Treasury). |
Changed New User Request Method, Improved Display, Added Service Area Mapping |
Release 7.10 |
May 20, 2014 |
Changed the method by which new users are requested; improved how Action Plans and QPRs are displayed, including the ability to upload shape files and draw shapes in a map viewer; and Public Reports updated to reflect all active grants. |
Resolved technical issues |
Release 7.10.1 |
September 13, 2014 |
Resolved issues in the Action Plan, QPR, and Drawdown modules. In addition, resolved issues related to Section 508 compliance and Microstrategy reporting. |
|
NO (If no, proceed to question 5.) |
Do the changes to the system or project involve a change in the type of records maintained, the individuals on whom records are maintained, or the use or dissemination of information from the system?
|
YES |
|
NO |
Please indicate if any of the following changes to the system or project have occurred: (Mark all boxes that apply.)
|
A conversion from paper-based records to an electronic system. |
|
A change from information in a format that is anonymous or non-identifiable to a format that is identifiable to particular individuals. |
|
A new use of an IT system, including application of a new technology that changes how information in identifiable form is managed. (For example, a change that would create a more open environment and /or avenue for exposure of data that previously did not exist.) |
|
A change that results in information in identifiable form being merged, centralized, or matched with other databases. |
|
A new method of authenticating the use of an access to information in the identifiable form by members of the public. |
|
A systematic incorporation of databases of information in identifiable form purchased or obtained from commercial or public sources. |
|
A new interagency use of shared agency function that results in new uses or exchanges of information in identifiable form. |
|
A change that results in a new use of disclosure of information in identifiable form. |
|
A change that results in new items of information in identifiable form being added into the system. |
Does a PIA for the system already exist?
|
YES (If yes, provide the date and title of the PIA and whether the PIA is posted on the Privacy Office webpage). The existing DRGR PIA was done in May 2005 and yes it is posted on the Privacy Office webpage. |
|
NO. |
IPA Determination/Approval
(To be completed by the Privacy Office)
DATE REVIEWED: |
REVIEWERS NAME: |
|
This is NOT a Privacy Sensitive Project – the project contains no personal identifiers/sensitive information |
|
This IS a Privacy Sensitive Project |
|
PTA sufficient at this time |
|
A PIA is required |
COMMENTS:
|
|
______________________________________________ _______________________________
Program Director Signature Date
[Title]
_______________________________________________ ________________________________
Departmental Privacy Officer Signature Date
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | h04105 |
| File Modified | 0000-00-00 |
| File Created | 2021-01-26 |