Privacy Impact Assessment (PIA)

Privacy Impact Assessment
for the
National Emergency Management Information SystemIndividual Assistance (NEMIS-IA)
Web-based and Client-based Modules
DHS/FEMA/PIA-027
June 29, 2012
Contact Point
Vienna Marcelli
Section Manager, Process Design/TSI
Federal Emergency Management Agency
(540) 686-3901
Reviewing Official
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
(703) 235-0780

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 1

Abstract
The U.S. Department of Homeland Security (DHS), Federal Emergency Management
Agency (FEMA), Office of Response and Recovery (OR&R), Recovery Directorate, National
Processing Service Center (NPSC) Division operates the National Emergency Management
Information System (NEMIS) Individual Assistance (IA) system. NEMIS-IA supports FEMA’s
recovery mission under the Robert T. Stafford Disaster Relief and Emergency Assistance Act
(Stafford Act), P.L. 93-288, as amended, by processing information obtained from disaster
recovery assistance applications via the Disaster Assistance Improvement Program
(DAIP)/Disaster Assistance Call Center (DAC) system. NEMIS-IA, which consists of both
client-based and web-based modules, also utilizes business rules to detect and prevent
―duplication of benefits.‖1 FEMA is conducting this Privacy Impact Assessment (PIA) because
NEMIS-IA collects, uses, maintains, retrieves, and disseminates the personally identifiable
information (PII) of applicants to FEMA’s disaster recovery individual assistance programs.

Overview
FEMA OR&R, Recovery Directorate, NPSC Division operates the NEMIS-IA module.2
NEMIS-IA supports FEMA’s IA programs. IA consists of the Individuals and Households
Program (IHP) under the authority of the Stafford Act. IHP provides disaster relief to applicants
who have suffered disaster-related losses. FEMA’s IHP consists of Housing Assistance and
Other Needs Assistance (ONA). Housing Assistance provides financial or direct assistance to
individuals and/or households whose property has been damaged or destroyed and whose losses
are not covered by insurance. ONA, in conjunction with state assistance, provides assistance for
disaster-related necessary expenses and serious needs also not covered by insurance. In addition,
NEMIS-IA contains and applies business rules to data designed to detect and prevent duplication
of benefits and also ensure that survivors receive consideration for assistance.
The NEMIS-IA system does not collect any information directly from individuals
applying for FEMA assistance benefits. The DAIP/DAC system3 sends to NEMIS-IA applicant
registration information to track, evaluate, and provide approval for benefits to individual
disaster assistance applicants.

1

Executive Order 13411 – Improving Assistance for Disaster Victims, initiated an effort ―to strengthen controls
designed to prevent improper payments and other forms of fraud, waste, and abuse.‖ To this end, FEMA takes
measures to prevent a ―duplication of benefits,‖ whereby an applicant receives aid from multiple sources for the
same disaster.
2
Individual assistance refers to money or direct assistance to individuals, families, and businesses in an area whose
property has been damaged or destroyed and whose losses are not covered by insurance.
3
For detailed description of DAIP, please see the DHS/FEMA/PIA-012 Disaster Assistance Improvement Program
PIA (December 31, 2008), available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fema_daip.pdf.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 2

A typical NEMIS-IA transaction occurs after the governor of a state requests and the
President of the United States declares a disaster following a particular damage-causing event.
The governor’s request for direct assistance may include any of the following: Individual
Assistance (IA), Public Assistance (PA), and/or Hazard Mitigation Assistance (HMA). Once
FEMA approves various types of assistance for a declared disaster, the NEMIS-Emergency
Coordination (EC) module stores FEMA’s Disaster Identification (ID) Number and the types of
assistance authorized. If the authorization includes IA, NEMIS-EC shares the Disaster ID
Number and IA authorization information with NEMIS-IA in order to initiate the processing of
IA applications.
FEMA offers disaster survivors several means through which they may apply for IA.
Applicants may complete the paper-based FEMA Form 009-0-1, ―Application/Registration for
Disaster Assistance‖;4 call FEMA toll-free at 1-800-621-FEMA to speak to a FEMA NPSC
representative for registration assistance or access to the Integrated Voice Response through the
Advanced Call Center Network;5 register online at http://www.disasterassistance.gov; or apply
through a mobile phone application at http://m.fema.gov. FEMA’s website and mobile
application submit registration data directly to DAIP/DAC, whereas registrations made via
telephone or paper form are manually entered into DAIP/DAC by FEMA staff. Through either
type of submission, IA application information from FEMA Form 009-0-1 enters the DAIP/DAC
system, which routes select applicant PII (name, date of birth, Social Security Number (SSN),
and residential address) to a third-party identity proofing (IdP) service to conduct identity
authentication.6 Disaster survivors may choose to opt-out of providing SSN to FEMA during the
registration process; however, doing so may delay or prevent the survivor from receiving
assistance.
This authentication service generates knowledge-based questions based on commercial
identity verification information collected by a third-party company from financial institutions,
public records, and other service providers. Commercial transaction history, mortgage payments,
or past addresses may be accessed. An individual must correctly answer the IdP questions from
available public information in order to authenticate his or her identity and continue the process.
In cases where the applicant registers online, via FEMA mobile application, or via telephone, the
third-party IdP service will return the ―pass/fail‖ flag notifying the applicant of his status in a
matter of seconds, while applicants registering via paper form will only be notified of a ―fail‖
4

Following the recent Information Collection Request (ICR) submission to OMB (October 1, 2010), the form
formerly designated as FEMA Form 90-69 has now been renamed FEMA Form 009-0-1.
5
For detailed description of the Advanced Call Center Network Program, please see the DHS/FEMA/PIA-021
Advanced Call Center Network (ACCN) Platform PIA (March 23, 2012) available at
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fema_accn.pdf.
6
For a description of the third-party identity authentication process, please see the DHS/FEMA/PIA-012 - Disaster
Assistance Improvement Plan (December 31, 2008) available at
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fema_daip.pdf.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 3

flag by FEMA staff.
The applicant’s registration for disaster assistance and the ―pass/fail‖ flag are shared
from DAIP/DAC to NEMIS-IA. If a ―fail‖ flag is received, FEMA staff will review the
registration through a manual business process, and request that the applicant provide the FEMA
call center with additional identifying information. FEMA call center staff will review certain
elements of the registration record to determine whether application can go forward. If
successful, the applicant may complete the registration. If questions still remain, the applicant is
asked to mail-in proof of identify with SSN or bank account information, before finalizing his or
her registration. FEMA call center staff work exclusively within the system and are not
permitted to take handwritten notes. FEMA call center management and leadership are on duty
at all times monitoring call center staff as well as assisting applicants. In addition FEMA has
implemented the Quality Assurance Recording System (QARS),7 which further supports
FEMA’s ability to ensure that FEMS call center staff are using the systems appropriately.
NEMIS-IA provides quality control on the application data entered into DAIP/DAC.
NEMIS-IA ensures the data are properly formatted for processing, then applies both automated
and manual business rules for eligibility/ineligibility determinations; produces and mails
correspondence to registrants; manages inspections of damaged properties (through a separate
application); assists system users with a helpline; and generates or updates the application status.
NEMIS-IA processes the initial registration data and applies business rules for automated
eligibility determination and any necessary validation for address correction. For cases where
registration eligibility cannot be determined through the automated business rules, the
information is routed to the FEMA staff member for manual intervention and processing. If
registrants are eligible for ONA through the states, the registrations are sent to the State Web
module.8 During this process, the system applies rules for the duplication of benefits test. If a
record is flagged for potential duplication of benefits, it is routed for manual review.
For those registrations that require home inspections, NEMIS-IA assigns inspectors to
perform on-site inspections and confirm damage to applicants’ individual real properties (for
example, their home). Once the inspection is complete, the inspector will upload the data to
NEMIS-IA, and it will be transferred to the Automated Construction Estimating (ACE3)
Software System9 (a separate system from NEMIS-IA); NEMIS-IA does not maintain data after
7

DHS/FEMA/PIA-015 Quality Assurance Recording System, published November 10, 2010 and DHS/FEMA002Quality Assurance Recording System of Records Notice published February 15, 2011 at 76 Fed. Reg. 8758.
8
State Web module is used by state users to process ONA payments. The state users must be authorized with
defined roles in the FEMA’s Integrated Security and Access Control System (ISAACS). Their access is limited to
only the State Web module that requires ISAAC authentication with individual user IDs and passwords.
9
The ACE3 system is separate from NEMIS-IA and is covered by DHS/FEMA/PIA-012 Disaster Assistance
Improvement Program (DAIP) PIA (December 31, 2008), available at
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fema_daip.pdf.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 4

it has been transferred. This enables field inspectors to electronically record information relevant
to their verification of damaged properties. If direct housing assistance is authorized, NEMIS-IA
provides information on available housing contractors so that FEMA can match available
contractors with eligible applicants. FEMA’s Emergency Lodging Assistance program provides
temporary shelter and hotel/motel lodging reimbursements for pre-qualified IA applicants. To
accomplish this, NEMIS-IA shares PII with a third-party service, which administers the
Emergency Lodging Assistance program, and with Integrated Financial Management
Information System (IFMIS),10 which processes the housing payments.11
As data are processed by NEMIS-IA, it is continually replicated in real time to FEMA’s
Enterprise Data Warehouse (EDW)/Operational Data Store (ODS) for ad hoc data retrieval,
report generation, and storage.12 Disaster recovery assistance files, such as those contained in
NEMIS-IA, are retained for 6 years and 3 months in accordance with NARA Authority N1-31186-1, items 4C10a and 4C10b, and the DHS/FEMA—008 Disaster Recovery Assistance Files
System of Records.13
The primary privacy risk identified with NEMIS-IA is that the information is not directly
collected from the individual but is replicated from DAIP/DAC. There is a possibility the
information will be inaccurate and the applicant will be unaware that the problem is in NEMISIA when the information in DAIP/DAC is accurate. To mitigate this risk, FEMA employs realtime sharing and updating of records between DAIP/DAC and NEMIS-IA to ensure that
applicant information is quickly and accurately updated; sends each applicant a hard copy
printout of their registration along with a guide that specifically includes information on redress;
and allows access and redress through multiple media such as www.disasterassistance.gov,
FEMA’s toll-free registration/helpline, and the Privacy Act/Freedom of Information Act process
outlined in Section 7 of this PIA.

Section 1.0 Authorities and Other Requirements
1.1

What specific legal authorities and/or agreements permit and
define the collection of information by the project in question?

Section 408 of the Robert T. Stafford Disaster Relief and Emergency Act, as amended,
42 U.S.C. § 5174, allows the President to provide financial assistance to individuals and
10

FEMA’s official accounting system
For detailed description of the IFMIS, please see the DHS/FEMA/PIA-020 Integrated Financial Management
Information System Merger PIA (December 16, 2011), available at
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fema_ifmis_merger.pdf.
12
DHS/FEMA/PIA Operational Data Store/Enterprise Data Warehouse available at,
http://www.dhs.gov/files/publications/gc_1279831031414.shtm.
13
DHS/FEMA-008 Disaster Recovery Assistance Files, 74 Fed. Reg. 48763 (Sep. 24, 2009), available at
http://edocket.access.gpo.gov/2009/E9-23015.htm.
11

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 5

households in the state who, as a direct result of a major disaster, have necessary expenses and
serious needs that they are unable to meet through other means.
Section 312 of the Robert T. Stafford Disaster Relief and Emergency Assistance Act, as
amended, 42 U.S.C. § 5155, prohibits persons, business concerns, and other entities from
receiving benefits for a loss that would duplicate financial assistance under other programs, from
insurance, or from any other source.
The Clinger Cohen Act, 40 U.S.C. § 11303, guidance for multiagency investments,
and 40 U.S.C. § 11318, guidance for interagency support;
The E-Government Act of 2002, 44 U.S.C. § 3501;
Section 401 of the Personal Responsibility and Work Opportunity Reconciliation Act
of 1996, 8 U.S.C. § 1611;
The Debt Collection Improvement Act of 1996, 31 U.S.C. 3711(g);
The Economy Act, 31 U.S.C. § 1535;
The Paperwork Reduction Act, as amended, 44 U.S.C. § 3501, et. seq.;
44 C.F.R. §§ 206.110-119, Federal assistance to individuals and households;
44 C.F.R. § 206.191, Duplication of benefits; and
Executive Order No. 13411, Improving Assistance for Disaster Victims, August 29,
2006, 71 Fed. Reg. 52729 (Sep. 6, 2006), provides for improving disaster assistance
to the public by providing centralized access to all federally-funded disaster
assistance programs.

1.2

What Privacy Act System of Records Notice(s) (SORN(s)) apply
to the information?

The information in the NEMIS-IA module is covered by DHS/FEMA – 008 Disaster
Recovery Assistance Files System of Records, 74 Fed. Reg. 48763 (Sep. 24, 2009).

1.3

Has a system security plan been completed for the information
system(s) supporting the project?

NEMIS-IA is operational and was granted an Authority to Operate (ATO) on November
18, 2011, including all Certification and Accreditation (C&A) documentation. The ATO expires
December 31, 2012.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 6

1.4

Does a records retention schedule approved by the National
Archives and Records Administration (NARA) exist?

Disaster assistance recovery files, such as those contained in NEMIS-IA, are retained for
6 years and 3 months in accordance with NARA Authority N1-311-86-1, items 4C10a and
4C10b, and DHS/FEMA—008 Disaster Recovery Assistance Files System of Records, 74 Fed.
Reg. 48763 (Sep. 24, 2009).

1.5

If the information is covered by the Paperwork Reduction Act
(PRA), provide the OMB Control number and the agency number
for the collection. If there are multiple forms, include a list in an
appendix.

The information that NEMIS-IA collects, uses, maintains, retrieves, and disseminates is
collected by DAIP/DAC through Office of Management and Budget (OMB) Control No. 16600002, ―Disaster Assistance Registration,‖ (expires August 31, 2013); and OMB Control No.
1660-0061, ―Federal Assistance to Individuals and Households Program,‖ (expires October 31,
2014).
See Appendix A (attached) for a list of FEMA forms related to each collection.

Section 2.0 Characterization of the Information
2.1

Identify the information the project collects, uses, disseminates, or
maintains.

NEMIS-IA uses and maintains the following information, which is stored in a shared
database and collected through the DAIP/DAC system to track, evaluate, and provide benefits to
individual disaster assistance applicants:
Applicant Information from DAIP/DAC:
Prefix (Mr., Ms, etc);
Name (First, Middle, Last);
Social Security Number;
Date of Birth;
Number of Dependents;
Income Information;
Financial Information (Electronic Transfer Participation, Institution Information,
Account Information, Pre-disaster income);
Phone Numbers (Current, Damaged Property, Alternate, and Cell);
Alternate Phone Notes field;

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 7

Email Address;
Addresses (Mailing/Current and Damaged Property);
Dwelling Residence Own/Rent Flag;
Damaged Dwelling Place (City/County/Parish);
Damaged Dwelling Information (Type of Home, Primary Residence Flag, Restricted
Access);
Damaged Dwelling Insurance (Y/N and Company Name);
Other Insurance (Y/N and Company Name);
Vehicle Insurance Flags (Y/N; Liability and Comprehensive);
FEMA Disaster Number;
Damage Type (Fire/Smoke, Water, etc.);
Disaster-related Losses Damage Flags (Home, Personal Property, Utilities);
Expense Flags (Medical, Dental, Funeral; Y/N);
Vehicle Information (Registration, Damage, Drivable, Make, Model, Year);
Other Expenses Flag (Y/N);
Emergency Needs (Checkbox; Food, Clothing, Shelter);
Special Needs Flags (Mobility, Mental, Ear, Eye, Other Y/N);
Special Needs Option Information; and
Self-Employment/Business Damages;
Occupant Information from DAIP/DAC:
Name (First, Middle, Last);
Social Security Number;
Age;
Relationship to Applicant;
Additional Information Received from DAIP/DAC:
―Pass/Fail‖ flag for identify verification (provided by third-party IdP service).

NEMIS-IA generates the following information during the processing of the registrant’s
information:
Application Status (―In-Process,‖ ―Submitted,‖ or ―Approved‖);
Housing Inspection Required (Y/N);
Priority of Assistance;

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 8

Type of Assistance being considered; and
Time Stamps.

EDW/ODS associates the following information on FEMA employees/contractors with
NEMIS-IA records:
Staff ID; and
NPSC Assignment (Location).

2.2

What are the sources of the information and how is the
information collected for the project?

The primary information source for NEMIS-IA is the DAIP/DAC system. The
registrations for disaster assistance originate in DAIP/DAC and contain PII collected from the
various forms listed in Appendix A. A third-party IdP service conducts identity authentication
and provides a ―pass/fail‖ flag based on a series of questions.

2.3

Does the project use information from commercial sources or
publicly available data? If so, explain why and how this
information is used.

Yes. FEMA uses a third-party IdP service for the identity authentication checks of
applicants for FEMA’s IA programs. FEMA’s DAIP/DAC system collects the applicant’s name,
address, SSN, and date of birth and sends the data to the third-party IdP service to verify that a
person with these attributes exists and the SSN is valid. The IdP then returns a ―pass/fail‖ flag,
based on a series of questions, to FEMA DAIP/DAC. DAIP/DAC shares this indicator with
NEMIS-IA.

2.4

Discuss how accuracy of the data is ensured.

NEMIS-IA assumes the accuracy of the information that it receives from DAIP/DAC,
which includes authentication identification controls. Though information maintained within
NEMIS-IA is not collected directly from an individual seeking assistance benefits, the accuracy
of the data within NEMIS-IA is ensured through the means described below.
First, FEMA sends every applicant seeking IA a hard copy printout of their original
DAIP/DAC application, which provides an opportunity to identify any errors in the original
application submitted to FEMA. Second, applicants have the opportunity to speak with a live
FEMA case worker at a NPSC location to correct any deficiencies in the applicant’s DAIP/DAC
data. In addition, for applicants who opt to use the telephone application process and provide
information to the tele-registrar, who in turn will enter the data into the system, a third-party

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 9

service provides screen pre-population data to the tele-registrars to help ensure data accuracy.
This third-party service can automatically populate the registration forms with data matched
from the third-party public record and proprietary sources.

2.5

Privacy Impact Analysis: Related to Characterization of the
Information

Privacy Risk: There is a privacy risk associated with the system that NEMIS-IA could
maintain inaccurate information from disaster assistance applicants because the data are not
collected directly from the applicant.
Mitigation: This privacy risk is mitigated because FEMA sends each applicant a hard
copy printout of their application, thus providing the applicant with knowledge of any errors that
may exist within it. In addition, FEMA offers applicants multiple methods of correcting any
discrepancy in their data so that NEMIS-IA will properly process their applications, such as
making edits to their data via www.disasterassistance.gov or FEMA’s mobile website
http://m.fema.gov/ or contacting a NPSC representative via FEMA’s toll-free assistance hotline.
Lastly, NEMIS-IA and DAIP/DAC share registrant’s data virtually in real-time, so whenever an
applicant updates his/her information through one of the above methods, the information is
updated in NEMIS-IA immediately thereafter.
Privacy Risk: There is a privacy risk that the identity verification ―pass/fail‖ flag
inaccurately fails or passes an individual..
Mitigation: In order to mitigate the risk of inaccurate failure, FEMA has set up a manual
review process for applicants who have received a ―fail‖ flag. In order to mitigate the risk of
inaccurate passing, DHS/FEMA has agreements in place with its third-party IdP service that
guarantees the accuracy of the data. FEMA conducts routine reviews of the accuracy of data
from its third-party IDP service.

Section 3.0 Uses of the Information
3.1

Describe how and why the project uses the information.

NEMIS-IA imports the registration information from applicants for disaster assistance
from DAIP/DAC, including the applicant’s registration information for IA programs and a
―pass/fail‖ flag from its third-party IdP service that is used for identity verification.
NEMIS-IA applies its business rules to the data to determine eligibility for FEMA’s IA
programs; produce and mail correspondence to registrants; facilitate and manage housing
inspections, which includes verifying applicant damage claims and assessing the repair or
replacement costs; and detect and prevent duplication of benefits by identifying possible
duplicate registrations and reviewing them manually.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 10

3.2

Does the project use technology to conduct electronic searches,
queries, or analyses in an electronic database to discover or locate
a predictive pattern or an anomaly? If so, state how DHS plans to
use such results.

NEMIS-IA does not conduct electronic searches, queries, or analyses in an electronic
database to discover or locate a predictive pattern or an anomaly.

3.3

Are there other components with assigned roles and
responsibilities within the system?

There are no assigned roles or responsibilities within NEMIS-IA for other DHS
components outside of FEMA.

3.4

Privacy Impact Analysis: Related to the Uses of Information

Privacy Risk: There is a privacy risk associated with NEMIS-IA that includes FEMA
using information for purposes other than that for which it was collected.
Mitigation: This privacy risk is mitigated in several ways. First, FEMA limits its data
collection in DAIP/DAC to only that which is required to process disaster assistance
applications, so there is no extraneous data shared with NEMIS-IA. Secondly, NEMIS-IA does
not transfer data from one component module to another; rather, each module extracts the data it
requires from the shared NEMIS database according to its established rules. FEMA also limits
access to NEMIS-IA to authorized users whose access is based on their roles and responsibilities
and who have signed Rules of Behavior documentation and DHS Non Disclosure Agreements
(NDA). Lastly, the Information System Security Officer (ISSO) for NEMIS-IA performs
periodic access reviews of the system.

Section 4.0 Notice
4.1

How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain why
not.

FEMA provides notice of its collection of information to facilitate the provision of its IA
programs through many different media. FEMA provides a Privacy Act statement on its FEMA
Form 009-0-1 and its variations (Appendix B), as well as its other IA program forms. FEMA also
provides this Privacy Act statement to applicants via http://www.disasterassistance.gov/ prior to
collecting information for disaster assistance registrations. In addition, FEMA NPSC case
workers provide a privacy notice to callers prior to collecting any disaster assistance registration
information. Lastly, this PIA and FEMA’s DHS/FEMA—008 Disaster Recovery Assistance

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 11

Files System of Records Notice, 74 Fed. Reg. 48763 (Sep. 24, 2009), provide notice of FEMA’s
collection of information for IA programs.

4.2

What opportunities are available for individuals to consent to
uses, decline to provide information, or opt out of the project?

FEMA provides disaster assistance applicants the opportunity to consent to or decline to
provide information for a disaster assistance application prior to the information being processed
in NEMIS-IA. FEMA provides notice of the information collection, including the consequences
to the individual of failing to provide the information requested in the disaster
application/registration process through several media, as described in Section 4.1 above. An
individual may ―opt-out‖ by simply declining to provide the information, however, once the
information is provided to FEMA during the application/registration process, that information
will be processed by NEMIS-IA.

4.3

Privacy Impact Analysis: Related to Notice

Privacy Risk: There is a privacy risk associated with this system that the individuals
applying/registering for FEMA’s IA programs will not receive notice at the time their
information is collected.
Mitigation: This privacy risk is mitigated because FEMA provides notice of its
collection of information to facilitate the provision of its IA programs in several ways including
through Privacy Act statements on its paper forms, web and mobile sites, and a verbal privacy
notice provided by FEMA’s NPSC staff that provide telephone assistance to applicants. Lastly,
this PIA and FEMA’s DHS/FEMA—008 Disaster Recovery Assistance Files System of Records
Notice, 74 Fed. Reg. 48763 (Sep. 24, 2009), provide notice of FEMA’s collection of information
for IA programs.

Section 5.0 Data Retention by the project
5.1

Explain how long and for what reason the information is retained.

FEMA retains application/registration information for its IA programs in accordance with
NARA authority N1-311-86-1, item 4C10a, and DHS/FEMA—008 Disaster Recovery
Assistance Files System of Records, 74 Fed. Reg. 48763 (Sep. 24, 2009); the information is
retained for 6 years and 3 months, which allows time for FEMA to resolve any appeal that an
applicant may pursue regarding their IA registration.

5.2

Privacy Impact Analysis: Related to Retention

Privacy Risk: There is a privacy risk associated with this system that NEMIS-IA will
retain information longer than necessary.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 12

Mitigation: This privacy risk is mitigated because FEMA minimizes the time it keeps the
data, in line with the mission of its IA programs, and with an allowance for appeals. In addition,
FEMA leverages training and documentation, such as standard operating procedures, to inform
FEMA users of proper record retention standards.

Section 6.0 Information Sharing
6.1 Is information shared outside of DHS as part of the normal
agency operations? If so, identify the organization(s) and how the
information is accessed and how it is to be used.
State governments may have access to the NEMIS-IA State Web module, which is used
by the states when they are responsible for processing ONA. FEMA will only share the
information within the NEMIS-IA system outside of FEMA in accordance with the routine uses
published in DHS/FEMA—008 Disaster Recovery Assistance Files System of Records, 74 Fed.
Reg. 48763 (Sep. 24, 2009).

6.2

Describe how the external sharing noted in 6.1 is compatible with
the SORN noted in 1.2.

Any sharing of NEMIS-IA information is compatible with DHS/FEMA—008 Disaster
Recovery Assistance Files System of Records, 74 Fed. Reg. 48763 (Sep. 29, 2009) and is only
done consistent with the published routine uses therein. The routine uses are also compatible
with the original purpose of the collection: to register, verify, and determine the eligibility of
applicants needing disaster assistance; inspect damaged homes; prevent duplication of federal
government efforts and benefits; and identify and implement measures to reduce future disaster
damage. Routine uses H and I in the above-referenced SORN pertain to sharing information in
the context of providing assistance for FEMA’s IHP and preventing a duplication of benefits,
both of which are consistent with the purpose of the SORN.

6.3

Does the project place limitations on re-dissemination?

Any sharing of NEMIS-IA records is compatible with the routine uses listed in the
DHS/FEMA—008 Disaster Recovery Assistance Files System of Records, 74 Fed. Reg. 48763
(Sep. 29, 2009). All sharing is compatible with the original purpose of the collection, as noted in
Section 6.2 above. In addition, FEMA does not share information without a demonstrated ―need
to know‖ the information requested.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 13

6.4

Describe how the project maintains a record of any disclosures
outside of the Department.

As identified in the DHS/FEMA—008 Disaster Recovery Assistance Files System of
Records, 74 Fed. Reg. 48763 (Sep. 29, 2009), requests for IA records from NEMIS-IA are made
to the FEMA Disclosure Office, which maintains the accounting of what records were disclosed
and to whom.

6.5

Privacy Impact Analysis: Related to Information Sharing

Privacy Risk: There is a privacy risk associated with this system that the information in
NEMIS-IA could be erroneously disclosed.
Mitigation: This privacy risk is mitigated because FEMA only shares the information in
NEMIS-IA outside of DHS pursuant to the routine uses found in the DHS/FEMA—008 Disaster
Recovery Assistance Files System of Records, 74 Fed. Reg. 48763 (Sep. 24, 2009), and only
pursuant to a written request submitted to the FEMA Disclosure Office.

Section 7.0 Redress
7.1

What are the procedures that allow individuals to access their
information?

Disaster assistance applicants can access their information in several other ways: (1)
applicants may access their information online via DAIP/DAC system using the user ID,
password, system generated PIN, and authentication that was established during the application
process; (2) applicants may call a FEMA NPSC representative to check on the status of their
application by providing their registration ID; and (3) applicants receive a hard copy of their
completed FEMA Form 009-0-1 as part of the mail-out package after registration.
NEMIS-IA processes disaster assistance requests from the registrations taken by the
DAIP/DAC system, which is part of the DHS/FEMA – 008 Disaster Recovery Assistance Files
System of Records, 74 Fed. Reg. 48763 (Sep. 24, 2009). As such, applicants for IA may consult
that SORN for additional information regarding how to access their respective IA disaster
application files via a Privacy Act or Freedom of Information Act (FOIA) request submitted to
the FEMA Disclosure Office.

7.2

What procedures are in place to allow the subject individual to
correct inaccurate or erroneous information?

Disaster assistance applicants may also correct inaccurate data via the processes noted in
Section 7.1 above.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 14

IA disaster applicants may submit an amendment to their information in the
aforementioned DHS/FEMA—008 Disaster Recovery Assistance Files System of Records, 74
Fed. Reg. 48763 (Sep. 24, 2009) following a Privacy Act request to the FEMA Disclosure
Office. Such requests should be sent to: FEMA Disclosure Officer, Records Management
Division, 500 C Street, SW, Washington, DC 20472.

7.3

How does the project notify individuals about the procedures for
correcting their information?

DHS/FEMA—008 Disaster Recovery Assistance Files System of Records, 74 Fed. Reg.
48763 (Sep. 24, 2009) and this PIA provide notice regarding how IA disaster applicants can
correct their IA disaster application information. In addition, after registration through the
DAIP/DAC system, each applicant receives a mail-out package, which includes an Application
Guide with directions for redress in a section entitled, ―I Want to Have My Case Reviewed
Again (Appeal).‖ Also, as noted in Section 7.1 above, applicants may address concerns with a
NPSC representative via telephone.

7.4

Privacy Impact Analysis: Related to Redress

Privacy Risk: There is a privacy risk associated with this system that IA disaster
applicants will be unaware of the redress process.
Mitigation: This privacy risk is mitigated because FEMA provides several means of
redress to applicants who wish to amend their disaster assistance registration information. FEMA
provides applicants with a direct notice of redress in the mail-out packages sent to each
applicant, as noted in Section 7.1 above. FEMA also provides redress through its NPSC staff,
whom applicants may contact toll-free via telephone. In addition, as noted in Section 7.2 above,
FEMA utilizes a manual process for applicants who return a ―fail‖ flag from its third-party IdP
service, which mitigates the impact upon the applicant should FEMA receive erroneous
information from its third-party IdP. Lastly, the DHS/ FEMA—008 Disaster Recovery
Assistance Files System of Records, 74 Fed. Reg. 48763 (Sep. 24, 2009) and this PIA provide
notice of redress processes to disaster assistance applicants.

Section 8.0 Auditing and Accountability
8.1

How does the project ensure that the information is used in
accordance with stated practices in this PIA?

FEMA ensures that the practices stated in this PIA are followed by leveraging training,
policies, rules of behavior, and auditing and accountability.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 15

8.2

Describe what privacy training is provided to users either
generally or specifically relevant to the project.

All FEMA NEMIS-IA users are required to successfully meet annual privacy awareness
and information-security training requirements according to FEMA training guidelines. FEMA
provides supplementary security-related training to those with additional security-related
responsibilities.

8.3

What procedures are in place to determine which users may
access the information and how does the project determine who
has access?

FEMA information systems, including NEMIS-IA, use a role-based access control
mechanism to control access to both data and functionality. Permissions for access to the data
and functions used to manipulate the data have been pre-defined for each FEMA position based
on the principles of separation of duties and ―need to know.‖ This policy pertains to both fulltime and disaster personnel.
Intranet access to NEMIS-IA is assigned and controlled by FEMA OR&R, based on
assigned roles and responsibilities for the IA program. FEMA employees and contractors
requiring access to NEMIS-IA send a request for access to the approving official within FEMA
OR&R.
State government users who have access to the State Web module must follow a similar
process as FEMA employees and contractors.

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 16

8.4

How does the project review and approve information sharing
agreements, MOUs, new uses of the information, new access to the
system by organizations within DHS and outside?

Currently, NEMIS-IA does not require information sharing agreements or MOUs;
however, the project has a process to review such agreements if it becomes necessary. This
process involves review by the FEMA IT Security Branch, FEMA Privacy Officer, and Office of
Chief Counsel prior to sending to the DHS Privacy Office for formal review and clearance.
Similarly, NEMIS-IA will leverage its stakeholders in the process of reviewing and approving
any new uses for the project.

Responsible Officials
Eric M. Leckey
Privacy Officer
Federal Emergency Management Agency
U.S. Department of Homeland Security

Approval Signature
[Original signed and on file with the DHS Privacy Office.]
________________________________
Mary Ellen Callahan
Chief Privacy Officer
U.S. Department of Homeland Security

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 17

APPENDIX A: FEMA Forms and OMB Control Numbers
OMB Control No. 1660-0002, ―Disaster Assistance Registration‖:
o FEMA Form
Assistance‖;

009-0-1

(English),

―Application/Registration

for

Disaster

o FEMA Form 009-0-1T (English), ―Tele-Registration, Application for Disaster
Assistance‖;
o FEMA Form 009-0-1Int (English), ―Internet Application/Registration for Disaster
Assistance‖;
o FEMA Form 009-0-1S (English), Smartphone, Disaster Assistance Registration;
o FEMA Form 009-0-2 (Spanish), ―Solicitud en Papel / Registro Para Asistencia De
Desastre”;
o FEMA Form 009-0-2Int (Spanish), ―Internet, Registro Para Asistencia De
Desastre”;
o FEMA Form 009-0-2S (Spanish) ―Smartphone, Registro Para Asistencia De
Desastre‖;
o FEMA Form 009-0-3 (English), ―Declaration and Release Form‖;
o FEMA Form 009-0-4 (Spanish), ―Declaración Y Autorización”;
o FEMA Form 009-0-5 (English), ―Temporary Housing Program-Receipt for
Government Property‖; and
o FEMA Form 009-0-6 (Spanish), ―Recibo de la Propiedad del Gobierno.‖

OMB Control No. 1660-0061, ―Federal Assistance to Individuals and Households
Program‖:
o FEMA Form 010-0-11, ―Administrative Option Selection‖; and
o FEMA Form 010-0-12, ―Application for Continued Temporary Housing
Assistance.‖

Privacy Impact Assessment
National Emergency Management Information System
Individual Assistance
Web-based and Client-based Modules
Federal Emergency Management Agency
Page 18

APPENDIX B: Privacy Act Statement
PRIVACY ACT STATEMENT
AUTHORITY: The Robert T. Stafford Disaster Relief and Emergency Assistance Act as
amended, 42 U.S.C. §§ 5121-5207 and Reorganization Plan No. 3 of 1978; 4 U.S.C. §§ 2904 and
2906; 4 C.F.R. § 206.2(a)(27); the Personal Responsibility and Work Opportunity Reconciliation
Act of 1996 (Pub. L. No. 104-193); and Executive Order 13411. FEMA asks for your SSN
pursuant to the Debt Collection Improvement Act of 1996, 31 U.S.C. §§ 3325(d) and 7701(c)(1).
PRINCIPAL PURPOSE(S): This information is being collected for the primary purpose of
determining eligibility and administrating financial assistance under a Presidentially-declared
disaster. Additionally, information may be reviewed internally within FEMA for quality control
purposes.
ROUTINE USE(S): The information on this form may be disclosed as generally permitted under
5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using this information
as necessary and authorized by routine uses published in DHS/FEMA – 008 Disaster Recovery
Assistance Files System of Records, 74 Fed. Reg. 48763 (Sep. 24, 2009), and upon written
consent, written request by, by agreement, or as required by law.
DISCLOSURE: The disclosure of information on this form is voluntary; however, failure to
provide the information requested may delay or prevent the individual from receiving disaster
assistance.