GAANN PIA update 2-2015

Download: docx | pdf

1. System Information. Describe the system - include system name, system acronym, and a description of the system, to include scope, purpose and major functions.

The system is a web-based interface where grantees will log in to provide the student level data required for Graduate Assistance in Areas of National Need (GAANN) recipients. The scope of the collection is for the duration of a three year award. The purpose and major function are to ensure that the goals of the program are being met.

2. Legal Authority. Cite the legal authority to collect and use this data. What specific legal authorities, arrangements, and/or agreements regulate the collection of information?

The information is collected under the authority of Title VII, Part A, Subpart 2, Section 711 of the Higher Education Act of 1965, as amended; the program regulations in 34 CFR 648; and the Education Department General Administrative Regulations (EDGAR) in 34 CFR

74.51.

Further, the performance report form lends itself to the collection of quantifiable data needed to respond to the requirements of the Government Performance and Results Act (GPRA). Grantees are required to provide the data requested in order to obtain or retain grant funding according to 20 U.S.C. 1135, 34 CFR Section 648.66.

3. Characterization of the Information. What elements of personally identifiable information (PII) are collected and maintained by the system (e.g., name, social security number, date of birth, address, phone number)? What are the sources of information (e.g., student, teacher, employee, university)? How is the information collected (website, paper form, on-line

form)? Is the information used to link or cross-reference multiple databases?

The GAANN program is a program that awards fellowships through academic institutions of higher education. Both the Annual Performance Report (APR) and the Final Performance Report (FPR) collect individual student records provided by the grantee institution. The individual student records contain such information as the student’s name, citizenship status, race and ethnicity, and education and financial data. The data will not cross-reference multiple databases.

4. Why is the information collected? How is this information necessary to the mission of the program, or contributes to a necessary agency activity? Given the amount and any type of data collected, discuss the privacy risks (internally and/or externally) identified and how they were mitigated.

The information contained in this system is being collected to assist in monitoring grantee performance and to determine program outcomes in response to the requirements of the GPRA. GPRA does not specifically require the collection of individual participant records with personal information. However, to determine if the goals of the program are being met, the academic progress of program participants must be tracked over multiple years. Collecting name, citizenship, race and ethnicity, student education and financial information is the most reliable method for tracking a student during the grant period to determine

program effectiveness and grantee compliance. Although the collection of this information is not required by statute, it serves a distinct business need for the Department of Education (Department). The collection of this information serves as an identifier for matching participant records during the period of the grant and tracking those students during the grant period. The information collected is compiled for three program goals:

1) Graduate school completion: the percentage of GAANN Fellows completing the terminal degree in the designated areas of national need;

2) Enrollment of targeted populations: the percentage of GAANN Fellows from traditionally underrepresented groups; and

3) Time-to-Degree: the median time to completion of Master’s and Doctorate degrees for

GAANN students.

Grantees are required to provide the data requested in order to obtain or retain grant funding, according to 20 U.S.C. 1135, 34 CFR Section 648.66.

In addition, grantees are required to submit a supplement to the FPR two years after the expiration of their GAANN grant. This will provide updated academic and employment outcomes of each GAANN Fellow reported on the FPR submitted two years earlier. The information collected will allow the program to demonstrate the efficiency and effectiveness of the program.

5. Social Security Number (SSN). If an SSN is collected and used, describe the purpose of the collection, the type of use, and any disclosures. Also specify any alternatives that you considered, and why the alternative was not selected. If system collects SSN, the PIA will require a signature by the Assistant Secretary or designee. If no SSN is collected, no signature is required.

SSNs will not be collected or maintained in this system.

6. Uses of the Information. What is the intended use of the information? How will the information be used? Describe all internal and/or external uses of the information. What types of methods are used to analyze the data? Explain how the information is used, if the system uses commercial information, publicly available information, or information from other Federal agency databases.

The Department uses APR and FPR data to: (1) evaluate program accomplishments; (2)

demonstrate program effectiveness, and (3) aid in compliance monitoring.

Collecting performance report data on an annual basis provides the Department with the ability to assess each grantee’s progress in meeting the program’ s goals and objectives and to determine compliance with the statute and program regulations. APR and FPR data have also been instrumental in determining whether grantees are entitled to continuation funding by analyzing financial data submitted by grantees.

The data collected from the FPR also produces data for the web-based software platform the Department uses that extrapolates data from the FPR in a consistent format. This data enables the Department to meet the requirements of GPRA.

With the updates provided to the supplemental FPR two years after a grant ends, we will be able to capture updated academic and employment status for fellows previously reported. This will provide the Department with an opportunity to collect more complete performance data for GPRA.

7. Internal Sharing and Disclosure. With which internal ED organizations will the information be shared? What information is shared? For what purpose is the information shared?

Grantees will only have access to their information. Office of Postsecondary Education (OPE) staff and contractor, Computer Business Methods Incorporated (CBMI), which designed and maintains the GAANN performance reporting system will have access to the performance reporting system.

8. External Sharing and Disclosure. With what external entity will the information be shared (e.g., another agency for a specified programmatic purpose)? What information is shared? For what purpose is the information shared? How is the information shared outside of the Department? Is the sharing pursuant to a Computer Matching Agreement (CMA), Memorandum of Understanding or other type of approved sharing agreement with another agency?

The contractor (CBMI) will have shared access to the performance-based data. The contractor maintains the web-based database to collect APR and FPR data and to develop reports to meet the requirements of GPRA.

9. Notice. Is notice provided to the individual prior to collection of their information (e.g., a posted Privacy Notice)? What opportunities do individuals have to decline to provide information (where providing the information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), and how individuals can grant consent?

Institutions of higher education that receive a GAANN grant are required to submit APR and FPR data in order to obtain or retain grant funding, according to 20 U.S.C. 1135, 34 CFR Section 648.66.

These OMB approved documents require grantees to submit student-level data on each student served. Institutions that use the program’s web-based software must read a statement, and login to access the system used for data collection. Prior to gaining access to the system, grantees must read the following notices:

Warning

This is a United States Department of Education computer system, which may be accessed and used only for official Government business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action.

Use of this network constitutes consent to monitoring, retrieval, and disclosures of any information stored within the network for any purpose including criminal prosecution.

Privacy Act

Performance-based data submitted by grantees contains confidential student-based information. This information is collected through a secured Website that meets the Departments’ rules and standards for security of sensitive data. The data reside in a secured facility in a secured server behind a Department approved firewall system that continuously monitors for intrusion and unauthorized access. The IT contractor security staff is notified of Windows security updates and view server security status reports and applies updates as needed and uses anti-virus software on all servers and workstations.

The data collection site requires grantees to log in with a Department issued login ID and password. All screens and data transfers are encrypted and transmitted using hypertext transfer protocols (HTTPS). The IT contractor transfers the data to the analysis contractor via a secured file transfer protocol (FTP) site. As with the IT contractor, the data analysis contractor’s security program is compliant with federal government regulation and National Institute of Standards and Technology (NIST) standards.

Only contractor staff that supports the data collection or data analysis and Department staff are allowed access to the data. Contractor staff has appropriate security clearances and also signs confidentiality and non-disclosure agreements to protect against unauthorized disclosure of confidential information.

10. Web Addresses. List the web addresses (known or planned) that have a Privacy Notice.

The following web addresses list the Security and Warning notice:

https://opeweb.ed.gov/gaannfpr https://opeweb.ed.gov/gaannapr

https://opeweb.ed.gov/gaannadmin (Department Staff and CBMI contractors only)

https://opeweb.ed.gov/GAANN

11. Security. What administrative, technical, and physical security safeguards are in place to protect the PII? Examples include: monitoring, auditing, authentication, firewalls, etc. Has a C&A been completed? Is the system compliant with any federal security requirements?

The last GAANN C&A was on February 2010.

Initial Security Training is conducted followed by annual refresher training. The GAANN performance report site displays a banner to notify all users that they are accessing a government system and are subject to monitoring and penalties for misuse. The network administrator analyzes server audit records on a daily basis to discover any security incidents. GAANN requires users to identify themselves uniquely allowing them to perform any actions on the system. GAANN uses both a web application server and a database server. The

CBMI network firewalls continuously monitor for intrusion and unauthorized access. The Network/System Administrator conducts quarterly vulnerability scans. The Application Analyst conducts a security impact assessment prior to making changes to GAANN.

12. Privacy Act System of Records. Is a system of records being created or altered under the Privacy Act, 5 U.S.C. 552a? Is this a Department-wide or Federal Government-wide SORN? If a SORN already exists, what is the SORN Number?

A system of record notice is not needed because the information collected is not retrieved by any personal identifiers. Therefore, a system of record as defined by the Privacy Act is not being created and the reporting requirements of OMB Circular A-130 do not apply.

13. Records Retention and Disposition. Is there a records retention and disposition schedule approved by the National Archives and Records Administration (NARA) for the records created by the system development lifecycle AND for the data collected? If yes – provide records schedule number:

The records disposition schedule is ED 254: Grand Administration and Management Files. Disposition: Temporary. Destroy/Delete 5 years after grant closure, completion of monitoring, or audit resolution, if audited, whichever is later.

The records schedule number is N1-441-11-001.

_{Certifying Officials Signatures:}

_{Senior Program Official: Date}

Computer Security Officer/ Information System Date

Security Officer

_{For Systems That Collect, Maintain and or Transfer SSNs}

_{Assistant Secretary or designee Date}

Kathleen Styles, Chief Privacy Officer Date

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Ell, Rebecca
File Modified	0000-00-00
File Created	2021-01-25