Download:
pdf |
pdfPrivacy Impact Assessment
for the
Document Management and Records
Tracking System
(DMARTS)
DHS/FEMA/PIA-009(a)
May 15, 2013
Contact Point
Eddie Chambers
Office of the Chief Information Officer
Federal Emergency Management Agency
(202) 646-3335
Reviewing Official
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security
(202) 343-1717
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 1
Abstract
The U.S. Department of Homeland Security (DHS), Federal Emergency
Management Agency (FEMA), Mission Support Bureau (MSB), Office of the Chief
Information Officer (OCIO) operates the Document Management and Records Tracking
System (DMARTS). DMARTS is an electronic document management and records
management system that retrieves, stores, and disseminates personally identifiable
information (PII) on individuals applying for disaster assistance benefits. FEMA is
conducting this PIA because DMARTS retrieves, stores, and disseminates PII about
members of the public seeking disaster assistance from FEMA.
Overview
FEMA OCIO operates DMARTS for the FEMA entities that manage disaster
assistance. DMARTS is an electronic document management and records management
system that supports FEMA’s mission to help citizens recover from Presidentiallydeclared disasters by retrieving, storing, and disseminating disaster assistance data from
individuals applying for disaster assistance under the Robert T. Stafford Disaster Relief
and Emergency Act (Stafford Act), 42 U.S.C. § 5174.
DMARTS streamlines the disaster assistance process by extracting data from both
the Automated Construction Estimate 3 (ACE3) and National Emergency Management
Information System-Individual Assistance (NEMIS-IA) systems. ACE3 and NEMIS-IA
are the source systems and first point of entry for disaster assistance applications
(NEMIS-IA) and damaged property estimates (ACE3).1 FEMA primarily uses these two
systems when making disaster assistance benefit/payment determinations.
DMARTS consolidates document management functions from NEMIS-IA and
ACES3 into a single integrated records management system. This consolidation is
necessary to: (1) streamline the disaster assistance application process for reporting
purposes; (2) aid in accurate and proper benefit determination; (3) eliminate duplication
of effort and duplication of benefits; and (4) help the agency to maintain the most up-todate and accurate information on disaster assistance applicants. DMARTS provides
document capture, repository, and workflow functions but does not alter the data captured
and maintained by ACE3 and NEMIS-IA. DMARTS receives disaster assistance-related
documents from ACE3 and NEMIS-IA and allows authorized users to locate, access,
store, retrieve, manage, and archive documents and create consistent, streamlined,
supportable processes for the user community.
1
More information on NEMIS-IA and the ACE interaction can be found in the NEMIS-IA PIA:
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fema_nemis_ia_20120629.pdf. NEMIS-IA is
covered by the DHS/FEMA–008 Disaster Recovery Assistance Files System of Records, April 30, 2013, 78
FR 25282.
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 2
DMARTS stores both data about members of the public who apply for disaster
assistance applications and data regarding FEMA employees and contractors. DMARTS
serves as a repository for (1) individual disaster assistance information collected from
disaster assistance applicants through the NEMIS-IA and (2) associated repair estimate
information generated by ACE3. Employee and contractor data may be collected as part
of the disaster assistance application process, as well as documentation from ACE3. The
ACE3 system generates cost estimates for disaster recovery construction which
DMARTS stores and indexes by applicant registration number.
FEMA users upload disaster assistance applications into DMARTS as images that
contain some or all of the listed PII detailed in Section 2.1. FEMA receives information
in three distinct modes. First, disaster applicants and case workers may fax documents
directly to the DMARTS’ fax server. The DMARTS fax server receives the fax, converts
it to an image file, uploads it to the system, and then indexes it to the appropriate
record. The fax server is a one-way, inbound system. It does not send faxes or initiate
any external communications. Second, disaster applicants may submit documents
electronically via www.disasterassistance.gov or mail hardcopy documents to the
Disaster Assistance general mailing address as identified in the instructions. FEMA
Indexers receive, review, index, and upload the documents to the DMARTS system.
Third, applicants call into the Disaster Assistance tele-registration helpline to speak with
a Disaster Assistance representative who transcribes the applicant’s registration data and
then uploads it into DMARTS. DMARTS links documents to applicants in both
DMARTS and NEMIS-IA through the registration numbers. Similarly, when FEMA
enters a construction estimate into ACE3, an image of the document uploads
automatically into DMARTS and the document links to the applicant through the same
registration number described above. Additionally, the username of the Indexer is logged
into DMARTS, and all other information is stored in NEMIS-IA and is only accessed by
DMARTS as a database view to link documents to applicants.
FEMA provides notice of its collection of information to facilitate the distribution
of disaster assistance through Privacy Act Statements on electronic systems (NEMIS-IA),
verbal communication (recited by Operators at the National Processing Service Centers
when disaster survivors call the helpline to apply for assistance over the phone), and on
all paper based applications prior to collecting and storing data in NEMIS-IA and ACE3.
FEMA provides a Privacy Act Statement (Appendix B) on its disaster application forms
(and its variations) as well as on other disaster assistance forms, which are listed in
Appendix A (see Section 4.0 for details).
The primary privacy risk identified with DMARTS is that it consolidates data
from two underlying source systems, and does not collect information directly from
individuals. This leads to possible data quality and accuracy issues within DMARTS due
to its reliance on underlying source data systems. DMARTS assumes the accuracy of the
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 3
information that it receives from NEMIS-IA and ACE3. If a redress request is filed,
FEMA corrects data directly within the NEMIS-IA and ACE3. Once FEMA updates the
information in NEMIS-IA and ACE3, these corrections and/or updates are matched by
the applicant’s registration number and uploaded into DMARTS.
FEMA ensures that the practices stated in this PIA are reinforced by providing
training to the users on the policies and rules of behavior. FEMA also uses auditing and
accountability capabilities through Windows and Linux platform system file functions
and access controls through the Authentication and Provisioning Services (APS) system,
which is outlined and detailed in Section 8.1.
Section 1.0 Authorities and Other Requirements
1.1
What specific legal authorities and/or agreements permit
and define the collection of information by the project in
question?
Robert T. Stafford Disaster Relief and Emergency Assistance Act, as
amended, 42 U.S.C. §§ 5121 - 5207 and Reorganization Plan No. 3 of 1978;
Section 312 of the Robert T. Stafford Disaster Relief and Emergency
Assistance Act, as amended, 42 U.S.C. § 5155, prohibits persons,
business concerns, and other entities from receiving benefits for a loss
that would duplicate financial assistance received under other
programs, from insurance, or from any other source;
Section 408 of the Robert T. Stafford Disaster Relief and Emergency
Act, as amended, 42 U.S.C. § 5174, authorizes the President to provide
financial assistance to individuals and households in the state who, as a
direct result of a major disaster, have necessary expenses and serious
needs that they are unable to meet through other means;
The Debt Collection Improvement Act of 1996, 31 U.S.C. 3711(g); Section
401 of the Personal Responsibility and Work Opportunity Reconciliation Act
of 1996, 8 U.S.C. § 1611;
Executive Order No. 13411, Improving Assistance for Disaster Victims,
August 29, 2006, 71 FR 52,729 (September 6, 2006), provides for improving
disaster assistance to the public by providing centralized access to all
federally-funded disaster assistance programs.
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 4
1.2
What Privacy Act System of Records Notice(s) (SORN(s))
apply to the information?
The information in DMARTS is covered by DHS/FEMA-008 Disaster Recovery
Assistance Files System of Records, 78 FR 25282 (April 30, 2013) and DHS/ALL-004General Information Technology Access Account Records System, 77 FR 70792
(November 27, 2012).
1.3
Has a system security plan been completed for the
information system(s) supporting the project?
DMARTS was granted an Authority to Operate (ATO) in October 2007. The
ATO was renewed in January 6, 2013, and expires in January 6, 2015.
1.4
Does a records retention schedule approved by the National
Archives and Records Administration (NARA) exist?
DMARTS records related to registration for assistance, inspections reports,
temporary housing assistance eligibility determinations, and eligibility decisions for
disaster aid from other federal and state agencies are covered by Records Schedule N1311-86-1 4C10a and are destroyed after 6 years and 3 months.
DMARTS records related to state files, which contain records of persons who
request disaster aid, are covered by Records Schedules N1-311-86-1 4C7 and/or N1-31186-1 4C10b and are destroyed 3 years after closeout.
1.5
If the information is covered by the Paperwork Reduction
Act (PRA), provide the OMB Control number and the
agency number for the collection. If there are multiple
forms, include a list in an appendix.
DMARTS is not subject to PRA requirements because there are no specific forms
completed by the public used to populate the information in DMARTS. DMARTS
receives information from source systems NEMIS-IA and ACE3. All information
collections for each source system are responsible for compliance with the PRA. (See
Appendix A for a list of OMB control numbers for relevant FEMA forms.)
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 5
Section 2.0 Characterization of the Information
2.1
Identify the information the project collects, uses,
disseminates, or maintains.
DMARTS collects information through NEMIS-IA, which collects information
from external sources such as individuals, states, or agencies applying for disaster
assistance, and through ACE3, which collects data on Inspectors (who are contractors).
DMARTS may also collect information directly from FEMA employees and contractors
as part of the registration process. Data collected includes:
NEMIS-IA:
Applicant Information:
Prefix (Mr., Ms.);
Name (First, Middle, Last);
Social Security Number;
Date of Birth;
Number of Dependents;
Income Information;
Financial Information (Electronic Transfer Participation,
Information, Account Information, Pre-disaster income);
Phone Numbers (Current, Damaged Property, Alternate, and Cell);
Alternate Phone Notes field;
Email Address;
Addresses (Mailing/Current and Damaged Property);
Dwelling Residence Own/Rent Flag;
Damaged Dwelling Place (City/County/Parish);
Damaged Dwelling Information (Type of Home, Primary Residence Flag,
Restricted Access);
Damaged Dwelling Insurance (Y/N and Company Name);
Other Insurance (Y/N and Company Name);
Vehicle Insurance Flags (Y/N; Liability and Comprehensive);
FEMA Disaster Number;
Institution
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 6
Damage Type (Fire/Smoke, Water, etc.);
Disaster-related Losses Damage Flags (Home, Personal Property, Utilities);
Expense Flags (Medical, Dental, Funeral; Y/N);
Vehicle Information (Registration, Damage, Drivable, Make, Model, Year);
Other Expenses Flag (Y/N);
Emergency Needs (Checkbox; Food, Clothing, Shelter);
Special Needs Flags (Mobility, Mental, Ear, Eye, Other; Y/N);2
Special Needs Option Information; and
Self-Employment/Business Damages.
Occupant Information:
Name (First, Middle, Last);
Social Security Number;
Age; and
Relationship to Applicant.
FEMA Employee/Contractor:
User Name.
Estimates of Damage (Home or Personal Property);
Claimant Name;
Inspector ID Number;
Date of Birth;
Mailing Address; and
FEMA Application Number.
ACE3:
2
Since this information is collected by the disaster assistance application form and in-turn, entered into
NEMIS-IA, this indicator is an automatic data element of DMARTS. DMARTS captures images of
applications. The source system NEMIS-IA collects special needs info, specifically the “mental” data
element, because this is a vital piece of information in order for FEMA to determine how they may best
assist a disaster victim/survivor that may be mentally impaired.
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 7
2.2
What are the sources of the information and how is the
information collected for the project?
The sources of information for DMARTS are NEMIS-IA and ACE3. DMARTS,
NEMIS-IA, and ACE3 all leverage the applicant’s registration number as a universal
identifier, which is used to link information/documents. The disaster assistance
registration number is systematically generated by NEMIS-IA at the time of application
for disaster assistance. A FEMA employee (Indexer) uploads disaster assistance
applications from NEMIS-IA into DMARTS as form images. Additionally, when a
construction estimate is entered into ACE3, an image of the document is uploaded to
DMARTS. The ACE3 document is also linked to the applicant through the use of the
same registration number described above. All source information is stored in NEMISIA and ACE3 and can only be accessed in DMARTS as a database view to link
documents to applicants.
2.3
Does the project use information from commercial sources
or publicly available data? If so, explain why and how this
information is used.
No, DMARTS does not use publically available data or information from
commercial sources.
2.4
Discuss how accuracy of the data is ensured.
DMARTS captures application information contained in NEMIS-IA provided by
disaster assistance applicants, FEMA disaster field operations, and Regional Office staff.
DMARTS assumes the accuracy of the information that it receives from other FEMA
systems.
FEMA sends every applicant seeking disaster assistance a hard copy printout of
his or her original application, which provides an opportunity to identify any errors in the
original application submitted to FEMA. Secondly, applicants have the opportunity to
speak with a live FEMA case worker at a National Processing Service Center (NPSC)
(VA, MD, or TX) location to correct any deficiencies in the applicants’ data. Finally,
applicants can access their individual case files on-line on which they can update and
correct information in their case files as appropriate.
2.5
Privacy Impact Analysis: Related to Characterization of the
Information
Privacy Risk: There is a privacy risk that data within DMARTS may be
inaccurate due to its reliance on underlying source data systems.
Mitigation: DMARTS assumes the accuracy of the information that it receives
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 8
from other FEMA systems. If a redress request is filed (see section 7.0), data is corrected
within the underlying source systems. Once FEMA updates the information in source
systems (NEMIS-IA and ACE3), these corrections and/or updates are matched by the
applicant’s registration number and uploaded into DMARTS.
Privacy Risk: There is a privacy risk that FEMA employees rather than the
applicants themselves perform data entry of the majority of disaster applicants’
information and this may result in inaccurate information.
Mitigation: FEMA mitigates this privacy risk by sending each applicant a hard
copy printout of his or her application for review and signature. This provides the
applicant an opportunity to identify and correct any errors that may exist by contacting
FEMA’s toll-free registration/helpline, logging into his or her on-line disaster applicant
case file at www.disasterassistance.gov, or by engaging the Privacy Act/Freedom of
Information Act process.
Section 3.0 Uses of the Information
3.1
Describe how and why the project uses the information.
DMARTS consolidates document management functions from NEMIS-IA and
ACES3 into a single integrated records management system. This consolidation is
necessary to: (1) streamline the disaster assistance application process for reporting
purposes; (2) aid in accurate and proper benefit determination; (3) eliminate duplication
of effort and duplication of benefits; and (4) help the agency to maintain the most up-todate and accurate information on disaster assistance applicants. DMARTS provides
document capture, repository, and workflow functions but does not alter the data captured
and maintained by ACE3 and NEMIS-IA. DMARTS receives disaster assistance related
documents from ACE3 and NEMIS-IA and allows authorized users to locate, access,
store, retrieve, manage, and archive documents and create consistent, streamlined,
supportable processes for the user community.
3.2
Does the project use technology to conduct electronic
searches, queries, or analyses in an electronic database to
discover or locate a predictive pattern or an anomaly? If so,
state how DHS plans to use such results.
DMARTS does not conduct electronic searches, queries, or analyses to discover
or locate a predictive pattern or an anomaly.
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 9
3.3
Are there other components with assigned roles and
responsibilities within the system?
No government component outside of FEMA has direct access to DMARTS.
3.4
Privacy Impact Analysis: Related to the Uses of
Information
Privacy Risk: The privacy risk associated with DMARTS is that FEMA could
use the information for purposes other than that for which it was collected.
Mitigation: FEMA mitigates this privacy risk in two primary ways. First,
FEMA limits its data collection in DMARTS to only that which is required to process
disaster assistance applications. Second, FEMA also limits access to DMARTS to
authorized users whose access is based on their roles and responsibilities and who have
signed Rules of Behavior (ROB) documentation and Non-Disclosure Agreements (NDA).
Section 4.0 Notice
4.1
How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain
why not.
FEMA provides notice of its collection of information to facilitate the distribution
of disaster assistance through several types of media prior to collecting data stored in
DMARTS. FEMA provides a Privacy Act Statement (Appendix B) on its FEMA Form
009-0-1 and its variations as well as on other disaster assistance forms, which are listed in
Appendix A. The Privacy Act Statement is also shown to applicants applying for disaster
assistance online at www.disasterassistance.gov. In instances when information is
collected via phone, FEMA employees and contractors recite the Privacy Act Statement
to applicants prior to the collection of any disaster assistance registration information.
In addition, this PIA and FEMA’s DHS/FEMA 008 - Disaster Recovery
Assistance Files System of Records Notice, 78 FR 25282 (April 30, 2013), provide the
public notice of FEMA’s collection of information for disaster assistance programs.
4.2
What opportunities are available for individuals to consent
to uses, decline to provide information, or opt out of the
project?
FEMA provides disaster assistance applicants the opportunity to consent to or
decline to provide information for a disaster assistance application prior to the
information being captured in DMARTS. FEMA provides notice of the information
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 10
collection, including the consequences to the individual for failing to provide the
information requested in the disaster application process through several channels, as
described in Section 4.1 above. An individual may “opt-out” by simply declining to
provide the information at any point in the application process. However, once any or all
information is provided to FEMA during the application process, FEMA will capture that
information and store it in DMARTS.
4.3
Privacy Impact Analysis: Related to Notice
Privacy Risk: The privacy risk associated with this system is that the individual
will not have prior or existing notice of DMARTS collection and uses of information
after collection by the source system.
Mitigation: FEMA mitigates this privacy risk by providing notice to individuals
through the Privacy Act Statement on each of the disaster application forms, verbal
recitation of the Privacy Act Statement through the tele-registration process, this PIA as
well as each source system’s PIA, and the SORN identified in Section 1.2.
Section 5.0 Data Retention by the project
5.1
Explain how long and for what reason the information is
retained.
DMARTS records related to registration for assistance, inspection reports,
temporary housing assistance eligibility determinations, and eligibility decisions for
disaster assistance from other federal and state agencies are covered by Records Schedule
N1-311-86-1 4C10a and are destroyed after 6 years and 3 months.
DMARTS records related to state files, which contain records of persons who
request disaster assistance, are covered by Records Schedules N1-311-86-1 4C7 and/or
N1-311-86-1 4C10b and are destroyed 3 years after closeout.
5.2
Privacy Impact Analysis: Related to Retention
Privacy Risk: The privacy risk associated with this system is that DMARTS
may retain the information for longer than necessary to fulfill FEMA’s mission.
Mitigation: FEMA mitigates this privacy risk by minimizing the length of time it
retains data in the system in accordance with the mission of its assistance programs. In
addition, users are trained on proper procedures with respect to records retention and
disposal. Records retention information is also written into the DMARTS user manual
and Standard Operating Procedures. DMARTS automatically removes old files as
necessary and appropriate in accordance with the records schedule.
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 11
Section 6.0 Information Sharing
6.1
Is information shared outside of DHS as part of the normal
agency operations? If so, identify the organization(s) and
how the information is accessed and how it is to be used.
Information in DMARTS is not shared outside of DHS as part of normal agency
operations. Information may be shared from the source systems (NEMIS-IA and ACE3),
pursuant to published Routine Uses outlined in DHS/FEMA-008 Disaster Recovery
Assistance File System of Records Notice, 78 FR 25283 (April 30, 2013).
6.2
Describe how the external sharing noted in 6.1 is compatible
with the SORN noted in 1.2.
DMARTS does not share information outside of DHS as part of normal agency
operations.
6.3
Does the project place limitations on re-dissemination?
DMARTS does not re-disseminate any information.
6.4 Describe how the project maintains a record of any
disclosures outside of the Department.
DMARTS does not share information outside of DHS as part of normal agency
operations.
6.5
Privacy Impact Analysis: Related to Information Sharing
Privacy Risk: The privacy risk associated with this system is that FEMA could
inappropriately use or disclose information, either intentionally or unintentionally.
Mitigation: FEMA mitigates this privacy risk by requiring all users to complete
security and privacy awareness training, which includes appropriate and inappropriate
uses and disclosures of the information accessible to them as part of their official duties.
User activity in the system is monitored and audited. Should a user inappropriately use
or disclose information, he or she is subject to loss of access and the disclosure will be
referred to the appropriate internal investigation entities. Additionally, users are required
to undergo system access recertification annually.
Information in DMARTS is not shared outside of DHS as part of normal agency
operations. Information may be shared from the source systems (NEMIS-IA and ACE3),
pursuant to published Routine Uses outlined in DHS/FEMA-008 Disaster Recovery
Assistance File System of Records Notice, 78 FR 25282 (April 30, 2013). Third party
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 12
requests for individual disaster assistance records are directed to the FEMA Disclosure
Officer who reviews, tracks, and determines what (if any) records may be legally
disclosed.
Section 7.0 Redress
7.1
What are the procedures that allow individuals to access
their information?
Disaster assistance applicants can access their information in several ways prior to
it being stored in DMARTS online via www.disasterassistance.gov using the applicant’s
user ID, password, system generated PIN, and authentication that was established during
the application process; FEMA tele-registration Helpline at 1-800-621-FEMA (3362);
and hard copy mail-out package containing the applicant’s completed FEMA Form 0090-1 (FEMA mails the package to the applicants after the registration process is complete).
DMARTS is part of the DHS/FEMA 008 - Disaster Recovery Assistance Files
System of Records Notice, 78 FR 25282 (April 30, 2013). As such, disaster assistance
applicants may also submit a written Privacy Act/Freedom of Information Act (FOIA)
request to: FEMA Disclosure Officer, Records Management Division, 500 C Street, SW,
Washington, D.C. 20472-3005.
7.2
What procedures are in place to allow the subject individual
to correct inaccurate or erroneous information?
An applicant may use the procedures outlined in section 7.1 may also be used to
correct inaccurate data. Once FEMA updates the information in source systems
(NEMIS-IA and ACE3), these corrections and/or updates are matched by the applicant’s
registration number and uploaded into DMARTS.
7.3
How does the project notify individuals about the
procedures for correcting their information?
Individuals are given notice on how to correct their information via DHS/FEMA008 Disaster Recovery Assistance Files System of Records Notice, 78 FR 25282 (April
30, 2013) and this PIA.
Additionally, after applying for assistance through
www.disasterassistance.gov each disaster assistance applicant receives a package in the
mail that includes an Application Guide. This guide includes directions for redress in a
section titled, “I Want to Have My Case Reviewed Again (Appeal).”
7.4
Privacy Impact Analysis: Related to Redress
Privacy Risk: The privacy risk associated with this system is that disaster
applicants will not know the proper procedure for accessing and correcting their
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 13
information since information in DMARTS is collected from underlying source systems
as opposed to directly from the individual.
Mitigation: This privacy risk is mitigated as noted in Section 7.1 above. FEMA
provides applicants with a direct notice of redress in the mail-out packages sent to each
applicant, as noted in the sections above. Additionally, the DHS/FEMA-008 Disaster
Recovery Assistance Files System of Records Notice, 78 FR 25282 (April 30, 2013), this
PIA, and the source systems (NEMIS-IA and ACE3) PIAs provide information about the
redress processes for disaster assistance applicants.
Section 8.0 Auditing and Accountability
8.1
How does the project ensure that the information is used in
accordance with stated practices in this PIA?
FEMA ensures that the practices stated in this PIA are reinforced by providing
training to the users on the policies and Rules of Behavior. FEMA also uses auditing and
accountability capabilities through Windows and Linux platform system file functions
and access controls through the Authentication and Provisioning Services (APS) system,
which are explained in the following paragraphs within this section.
DMARTS tracks all entries and modifications to DMARTS fields and records,
which allows for audits of system access. Through Windows and Linux platform system
file functions, DMARTS is able to log the time and date each instance data is accessed
and it also logs any transactions within, and changes to, the system. The log tracks the
user and the type of transaction made to a record (add, delete, or edit).
DMARTS queries the APS system to replicate and assign DMARTS rights and
privileges to APS authenticated users. This platform is used to determine the user’s
access rights (read, create, modify, or delete information) in DMARTS.
8.1
Describe what privacy training is provided to users either
generally or specifically relevant to the project.
FEMA requires annual privacy training for all employees and contractors who use
or access DMARTS. It is FEMA policy that all personnel successfully complete a
FEMA IT security training course before receiving access to DMARTS. FEMA requires
all contract employees to adhere to the Privacy Act and confidentiality clauses, per the
terms of their contracts with FEMA.
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 14
8.3
What procedures are in place to determine which users may
access the information and how does the project determine
who has access?
FEMA information systems, including DMARTS, use a role-based access control
mechanism to control access to both data and functionality. Permissions for access to the
data and functions used to manipulate the data have been pre-defined for each FEMA
position based on the principles of separation of duties and “need to know.” This policy
pertains to both full-time and disaster assistance personnel (including Contractors).
8.4
How does the project review and approve information
sharing agreements, MOUs, new uses of the information,
new access to the system by organizations within DHS and
outside?
DMARTS does not require information sharing agreements or MOUs since it
does not share information outside of DHS. Any external sharing of information would
be addressed at the source system level (NEMIS-IA and ACE3).
Responsible Officials
Eric M. Leckey
Federal Emergency Management Agency
Privacy Officer
Department of Homeland Security
Approval Signature
Original signed and on file with the DHS Privacy Office.
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 15
APPENDIX A: FEMA Forms and OMB Control Numbers
DMARTS is not subject to PRA requirements because there are no specific forms
completed by the public used to populate the information in DMARTS. DMARTS
receives information from source systems NEMIS-IA and ACE3. All information
collections for each source system are responsible for compliance with the PRA but are
provided below for reference.
OMB Control No. 1660-0002, Disaster Assistance Registration:
FEMA Form 009-0-1 (English), Application/Registration for Disaster
Assistance;
FEMA Form 009-0-1T (English), Tele-Registration, Application for Disaster
Assistance;
FEMA Form 009-0-1Int (English), Internet Application/Registration for
Disaster Assistance;
FEMA Form 009-0-1S (English), Smartphone, Disaster Assistance Registration;
FEMA Form 009-0-2 (Spanish), Solicitud en Papel / Registro Para Asistencia
De Desastre;
FEMA Form 009-0-2Int (Spanish), Internet, Registro Para Asistencia De
Desastre;
FEMA Form 009-0-2S (Spanish) Smartphone, Registro Para Asistencia De
Desastre;
FEMA Form 009-0-3 (English), Declaration and Release Form;
FEMA Form 009-0-4 (Spanish), Declaración Y Autorización;
FEMA Form 009-0-5 (English), Temporary Housing Program-Receipt for
Government Property; and
FEMA Form 009-0-6 (Spanish), Recibo de la Propiedad del Gobierno.
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 16
�Privacy Impact Assessment
Document Management and Records Tracking System
Federal Emergency Management Agency
Page 17
APPENDIX B: Privacy Act Statement
PRIVACY ACT STATEMENT
AUTHORITY: The Robert T. Stafford Disaster Relief and Emergency Assistance Act
(Stafford Act) as amended, 42 U.S.C. §§ 5121-5207 and Reorganization Plan No. 3 of
1978; The Personal Responsibility and Work Opportunity Reconciliation Act of 1996
(Pub. L. 104-193) and Executive Order 13411. DHS asks for your SSN pursuant to the
Debt Collection Improvement Act of 1996, 31 U.S.C. § 3325(d) and § 7701(c)(1).
PRINCIPAL PURPOSE(S): This information is being collected for the primary purpose
of determining eligibility and administrating disaster assistance under a Presidentiallydeclared disaster. Additionally, information may be reviewed internally within FEMA
for quality control purposes.
ROUTINE USE(S): The information on this form may be disclosed as generally
permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This
includes using this information as necessary and authorized by routine uses published in
DHS/FEMA 008 - Disaster Recovery Assistance Files System of Records, 78 FR 25282
(April 30, 2013) and upon written request, by agreement, or as required by law.
DISCLOSURE: The disclosure of information on this form is voluntary; however,
failure to provide the information requested may delay or prevent the individual from
receiving disaster assistance.
�
| File Type | application/pdf |
| File Title | Privacy Impact Assessment |
| Author | Department Of Homeland Security Privacy Office |
| File Modified | 2013-05-15 |
| File Created | 2013-05-15 |