Privacy Impact Assessment (PIA)

February 5, 2020 EDAGR PIA.pdf

Form 3 - Initial Statement of Beneficial Ownership of Securities

Privacy Impact Assessment (PIA)

OMB: 3235-0104

Document [pdf]
Download: pdf | pdf
U.S. Securities and Exchange Commission

Electronic Data Gathering, Analysis and Retrieval (EDGAR)
PRIVACY IMPACT ASSESSMENT (PIA)

February 5, 2020

EDGAR Business Office (EBO)

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
1.1

Section 1: System Overview
Name of Project or System
Electronic Data Gathering, Analysis and Retrieval (EDGAR)

1.2

Is the system internally or externally hosted?
Internally Hosted (SEC)

☒
1.3

Reason for completing PIA
☒ This is an existing system undergoing an update
Description of update: This PIA update reflects the new collection of information in the system,
including information on addition of new regulated entities, and changes in
technology, controls and functionality.

1.4

Does the system or program employ any of the following technologies?
☒ Enterprise Data Warehouse (EDW)
☒ www.sec.gov Web Portal

2.1

Section 2: Authority and Purpose of Collection
Describe the project and its purpose or function in the SEC’s IT environment
The Electronic Data Gathering, Analysis and Retrieval (EDGAR) is the SEC’s electronic filing system that
provides an individual, company, or agent who registers with the SEC the capability to transmit legally required
submissions. EDGAR is internally hosted by the Office of Information Technology (OIT) and consists of a
complex and highly integrated collection of hardware, software, tools, and databases. The system automates
the receipt, acceptance, internal processing, management, and dissemination of millions of registration
statements, annual/quarterly reports, ownership filings, and other filings from over 28,000 registered entities
and millions of individual filers received by the SEC throughout each year. SEC examiners rely on EDGAR to
have a source of timely, comprehensive, and accurate information.
System enhancements to EDGAR are implemented to support the requirements of the SEC’s regular
rulemaking, including requirements that new rules impose on registrants. While EDGAR system enhancements
focus on the functionality of the current system, the EDGAR Redesign (ERD) program is a multi-year, crossagency initiative aimed toward delivering a new electronic disclosure solution to replace the current system.
The EDGAR Business Office (EBO) provides direct executive-level oversight for the ongoing transformation
of specific functions and programs to include business ownership of the EDGAR and the EDGAR redesign
program initiative.
Generally, PII about individuals associated with Regulated Entities is used:
•

•
•

To identify individuals acting as Transfer Agents, Broker Dealers, Investment Advisers, Municipal
Advisors, or individuals associated with regulated entities in other capacities, for the EDGAR
registration process;
To communicate with Transfer Agents, Broker Dealers, Investment Advisers, Municipal Advisors, or
individuals associated with regulated entities in other capacities, regarding their filing submissions;
By the SEC and other enforcement agencies in any enforcement or disciplinary proceedings or
complaint-related inquiries concerning Transfer Agents, Broker Dealers, Investment Advisers,
Municipal Advisors, or individuals associated with regulated entities in other capacities; and

Page 1 of 7

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
•

By the SEC or SEC-regulated institutions that employ Transfer Agents, Broker Dealers, Investment
Advisers, Municipal Advisors, or individuals associated with regulated entities in other capacities, for
taking disciplinary actions or making employment decisions.

The SEC utilizes the EDGAR filing websites, Online Forms Management and Filer Management to receive
forms from registrants electronically.
External EDGAR, available on SEC.gov, contains publicly-disseminated submissions. Internal EDGAR, also
known as the EDGAR workstation, is available to authorized Commission staff and contains both public and
non-public information. The system is designed to separate non-public from public information and disseminate
only public information through the EDGAR Dissemination Service, a separate system that markets data
directly to subscribers.
2.2

What specific legal authorities, arrangements, and/or agreements allow the information to be collected?
15 U.S.C. 77a et seq., 78a et seq., 80a-1 et seq., 80b-1 et seq.; and rules and regulations adopted by the
Commission under the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company
Act of 1940, the Investment Advisors Act of 1940 and Section 975(a) of the Dodd-Frank Wall Street Reform
and Consumer Protection Act.

2.3

Does the project use, collect, or maintain Social Security numbers (SSNs)? This includes truncated SSNs.
☒ No

2.4

Do you retrieve data in the system by using a personal identifier?
☒ Yes, there is an existing SORN

2.5

Is the information covered by the Paperwork Reduction Act of 1995 (PRA)?
☒ Yes
Multiple forms uploaded and stored in EDGAR are subject to PRA requirements. The SEC’s current
inventory of all collections of information from the public for which it has received prior approval from
OMB, as required by the Paperwork Reduction Act is located at the following link:
https://www.reginfo.gov/public/do/PRAMain

2.6

Considering the purpose of the collection, what privacy risks were identified and how were those risks
mitigated?
EDGAR was developed to automate the receipt, acceptance, internal processing, management, and
dissemination of millions of registration statements, annual/quarterly reports, ownership filings, and other
filings received by the SEC throughout each year. The main privacy risks are that individuals may not
understand the purpose for collecting the information and information provided for one purpose may be used
inappropriately.
To mitigate this risk, forms will contain the statute to which information collection is authorized. EDGAR
submissions are authorized by various statutes including the Securities Act of 1933, the Securities Exchange
Act of 1934, the Investment Company Act of 1940, the Investment Advisors Act of 1940 and Section 975(a) of
the Dodd-Frank Wall Street Reform and Consumer Protection Act. Moreover, the legal authority is documented
in various SORNs, including SEC's Division of Corporation Finance Records, 83 FR 6892(February 15, 2018),
SEC's Division of Investment Management Records, 83 FR 6892(February 15, 2018), and SEC's Division of
Trading and Markets Records, 83 FR 6892(February 15, 2018).

3.1

Section 3: Data Collection, Minimization, and Retention
What information is collected, maintained, used, or disseminated about individuals? Check all that apply.
Page 2 of 7

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)

General Personal Data
☒ Name
☒ Email Address
☒ Zip Code
☒ Financial Information
Work-Related Data
☒ Job Title
☒ Work Address
☒ Telephone Number
☒ Email Address
☒ Certificate/License Number
☒ Fax Number
System Administration/Audit Data
☒ IP Address
☒ Date/Time of Access
☒ Other: CIK
3.2

Why is the PII listed in Question 3.1 collected, used, shared, or maintained by the system or project?
EDGAR serves as the principal financial/entity data repository for the SEC. Filers submit information to the
SEC via registration statements, annual/quarterly reports, ownership filings, and other filings throughout each
year. Several filings require that the registered entity provide personal or business contact information.
Submissions may contain PII in order to allow and provide for follow up on the filing, send email notifications
of file submission, and for other communications, regarding filings made.
SEC staff uses the data to: (1) perform analysis and review of disclosure documents submitted to the SEC; (2)
investigate and research submissions; (3) disseminate data, including under the Freedom of Information Act
(FOIA); (4) create reports; and (5) perform workflow management. Externally, EDGAR filing data is
disseminated to the public on the SEC.gov website and provides the public an accurate, complete and fast
method of obtaining all accepted and valid EDGAR filings. EDGAR Data is also transferred to the EDGAR
Public Dissemination Service (PDS). This privatized PDS System is the primary source to receive a dedicated
feed of all public EDGAR filings. Subscribers to the PDS System are required to enter into a paid Subscription
Agreement to access this service.

3.3

Whose information may be collected, used, shared, or maintained by the system?
☒ Members of the Public
Purpose:
Registered entities submit filings to the SEC

3.4

Describe the PII minimizing mechanisms and if the PII from the system is being used for testing, training,
and/or research efforts.
EDGAR supports the capability for some filings to be submitted as a test. Therefore, some of the data it
receives is test data. Test filings do not contain live PII. In addition, test filings are deleted upon receipt.

3.5

Has a retention schedule been established by the National Archives and Records Administration
(NARA)?
☒ Yes.
Multiple forms uploaded and stored in EDGAR are subject to General Records Schedules (GRS)
prescribed by the National Archives and Records Administration (NARA). Refer to the applicable SORN
listed in Section 4.1 below for the applicable record retention schedule.
Page 3 of 7

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
3.6

What are the procedures for identification and disposition at the end of the retention period?
The procedures for identification and disposition of the data at the end of the retention period are commensurate
with the System of Records Notice applicable to the filing type as delineated in the SEC Program Records List
(for SEC-specific records), and the General Records Schedule prescribed by the National Archives and Records
Administration (NARA).
The SEC Records Schedules and NARA General Records Schedule provide mandatory instructions (disposition
instructions) to all NARA staff regarding how to maintain the Commission’s operational records and what to do
with them when they are no longer needed for current business. The disposition instructions state whether
individual series of records are permanent or temporary, as well as how long to retain the records. Records with
historical value, identified as permanent, are transferred to the National Archives of the United States. All other
records are identified as temporary and are eventually destroyed in accordance with the Records Schedule.
Records that are unscheduled, or do not have NARA’s approval, are permanently maintained until the office
determines the value and proposes retention of those records. The proposed retention schedule must be
submitted to NARA to gain its approval prior to the office applying retention.

3.7

Will the system monitor members of the public, employees, and/or contractors?
☒ N/A

3.8

Considering the type of information collected, what privacy risks were identified and how were those
risks mitigated?
The primary privacy risk is inadvertent disclosure of sensitive PII associated with Identifying Numbers in
Section 3.1 that may be submitted in attachments to filings, e.g., exhibits. This risk is mitigated by
implementing technological controls that permit the automatic redaction of certain number patterns from filing
information prior to posting on the SEC’s public website.

4.1

Section 4: Openness and Transparency
What forms of privacy notice were provided to the individuals prior to collection of data? Check all that
apply.
☒ Privacy Act Statement
Multiple forms uploaded to EDGAR have Privacy Act Statements on the form or instructions to the form.
☒ System of Records Notice
SEC-61 “Municipal Advisor Records”, 75 FR 51854 (August 23, 2010)
SEC-62 “Correspondence Files Pertaining to Municipal Advisors; Municipal Advisor Logs”, 75 FR 51854
(August 23, 2010)
SEC-68 “SEC's Division of Corporation Finance Records”, 83 FR 6892 (February 15, 2018)
SEC-69 “SEC's Division of Investment Management Records”, 83 FR 6892 (February 15, 2018)
SEC-70 “SEC's Division of Trading and Markets Records”, 83 FR 6892 (February 15, 2018)
☒ Privacy Impact Assessment
Date of Last Update: 2/5/2020
☒ Web Privacy Policy
SEC’s Web Site Privacy and Security Policy. The link is http://www.sec.gov/privacy

4.2

Considering the method(s) of notice provided what privacy risks were identified regarding adequate
notice and how were those risks mitigated?
Page 4 of 7

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)

The primary privacy risk is inadequate notice to individuals. This risk is mitigated through publication of SEC
Rules in the Federal Register which provide the legal authority for requesting the information, the purposes for
which the information will be used and disclosed, and the consequences of their not providing any or all of the
requested information.
Additionally, before a regulated entity can electronically file with the SEC on EDGAR, they must submit the
Form ID, which enables filers to obtain a unique Central Index Key (CIK). The Form ID (Part III—Contact
Information) will provide notice to filers that personal information, including email address, will be stored on
EDGAR. Ultimately, the publication of this PIA and the system of records notice SEC-68, SEC-69, and SEC-70
provide the public with notice of the collection, use and maintenance of this information.
5.1

Section 5: Limits on Uses and Sharing of Information
What methods are used to analyze the data?
EDGAR is a dissemination system and does not analyze data for the purposes of deriving new data or creating
previously unavailable data about an individual through aggregation from the information submitted in the
system. The data is collected only for purposes of managing and processing filings and related documents.

5.2

Will internal organizations have access to the data?
☒ Yes
Organizations: EDGAR is an enterprise system. Internally, each division or office may share non-public
information, in the form of reports or through access to the system, with authorized
agency users who demonstrate a bona fide need to know the information. All SEC
divisions and offices may use EDGAR data, but the Division of Investment Management
(IM), Division of Corporation Finance (CF), Division of Trading and Markets (TM),
Division of Economic and Risk Analysis (DERA), Division of Enforcement (ENF) and
Office of Compliance Inspections and Examinations (OCIE) are the primary users.

5.3

Describe the risk to privacy from internal sharing and describe how the risks are mitigated.
EDGAR workstation is available to authorized SEC staff and contains both public and non-public information.
The primary privacy risk is inadvertent or inappropriate sharing of non-public data with unauthorized
individuals. This risk is mitigated through role-based access. In addition, certain submission types are not
accessible from SEC Workstations, unless suspended or blocked. In those instances, authorized staff are
available to assist in ensuring submission of the filing.

5.4

Will external organizations have access to the data?
☒ Yes
Organizations: Data that should be made publicly available is disseminated to the public and to
subscribers via the SEC website and the Public Dissemination System (PDS).
Additionally, some data is shared with Financial Industry Regulatory Authority (FINRA)
and to other external entities that are consistent with the routine uses stated in the various
SEC SORNs for EDGAR data. Each subscriber determines their own internal procedures
for securing the data.

5.5

Describe the risk to privacy from external sharing and describe how the risks are mitigated.
The primary privacy risk associated with external sharing is the risk of disclosure to unauthorized recipients
during the transmission of information to external entities. The data is transmitted electronically to the SEC's
public site through the SEC's network, and to public disseminators and FINRA through the Internet and secured
network connections. Data may also be transmitted via a secured encrypted manner, including encrypted email
Page 5 of 7

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
and encrypted File Transfer Protocol. In addition, all external communications from EDGAR utilize SEC OIT
infrastructure elements, site-to-site VPN and encryption technologies.
6.1

Section 6: Data Quality and Integrity
Is the information collected directly from the individual or from another source?
☒ Directly from the individual.
☒ Other source(s): Registered entities may submit information on officers, board members, or customers
through EDGAR

6.2

What methods will be used to collect the data?
Filers submit information to the SEC via registration statements, annual/quarterly reports, ownership filings, and
other filings throughout each year. EDGAR consists of multiple subsystems by which data is collected, used,
maintained or disseminated.

6.3

How will the data collected from individuals, or derived by the system, be checked for accuracy and
completeness?
EDGAR Application has validations to ensure that the data collected from individuals meets certain
requirements. It is the responsibility of the Filer to provide accurate information. EDGAR supports the
capability for some filings to be submitted as a test to make sure the submission is correct by checking all of the
assembled documents and applying host-processing steps like determining the fee and checking your security
codes. For a test submission, fees will not be deducted, the filing will not be disseminated, and the filing will not
be considered filed with the SEC.

6.4

Does the project or system process, or access, PII in any other SEC system?
☒ No

6.5

Consider the sources of the data and methods of collection and discuss the privacy risk for this system
related to data quality and integrity? How are these risks mitigated?
The primary privacy risk involves incomplete or inaccurate information that can lead to incorrectly informed
decisions by regulators, financial loss to the investing public, and reputational loss to the regulated entity. This
risk is mitigated by collecting data directly from filers to the extent possible. EDGAR has validations to ensure
that data meets the specifications as required for each form.

7.1

Section 7: Individual Participation
What opportunities are available for individuals to consent to uses, decline to provide information, or opt
out of the project? If no opportunities are available to consent, decline or opt out, please explain.
Information is obtained from individuals pursuant to the requirements of federal securities laws. To fulfill those
requirements, filers must submit certain data on individuals. Individuals submitting filings in the EDGAR
System are responsible for submitting accurate information. The system allows electronic filers to transmit their
submissions in test mode before they commit to a live version to provide iterative error analysis and feedback.
Because the individual, or their designated third party, submits the information about him or herself directly, the
likelihood of erroneous PII is greatly reduced. EDGAR has internal application business rules and syntactic
processing in place to verify all transmissions into EDGAR.

7.2

What procedures are in place to allow individuals to access their information?
Persons wishing to obtain information on the procedures for gaining access to their information may contact the
FOIA/PA Officer, Securities and Exchange Commission, 100 F Street, NE, Mail Stop 5100, Washington, DC
20549-2736.

7.3

Can individuals amend information about themselves in the system? If so, how?
Page 6 of 7

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)

Persons wishing to amend their information in records may contact the FOIA/PA Officer, Securities and
Exchange Commission, 100 F Street, NE, Mail Stop 5100, Washington, DC 20549-2736.
7.4

8.1

9.1

Discuss the privacy risks related to individual participation and redress. How were these risks mitigated?
The primary risk is outdated or inaccurate information. This risk is mitigated by capability for Filers to
subsequent amend filings to correct any erroneous information submitted in the prior filing. In addition, SEC
procedures for amendment or correction of records is published in the applicable SORNs.
Section 8: Security
Has the system been authorized to process information?
☒ Yes
Section 9: Accountability and Auditing
Describe what privacy training is provided to users, either general or specific to the system or project.
All users must complete mandatory training on SEC Privacy and Information Security Awareness, Protecting
Nonpublic Information, and Records Management. EDGAR Filer Technical Support team also provides training
on the EDGAR functionality.

9.2

Does the system generate reports that contain information on individuals?
☒ Yes
Submissions may contain PII in order to allow and provide for follow up on the filing, send email
notifications of file submission, and for other communications, regarding filings made.

9.3

Do contracts for the system include Federal Acquisition Regulation (FAR) and other applicable clauses
ensuring adherence to the privacy provisions and practices?
☒ Yes

9.4

Does the system employ audit logging or event logging?
☒ Yes

9.5

What auditing measures/controls and technical safeguards are in place to prevent misuse (e.g.,
unauthorized browsing) of the data? What mechanisms are in place to identify security breaches?
Audit records are generated at various levels depending on system resources and the criticality of a system. EDGAR
selects the right level of abstraction to maintain audit capabilities and to facilitate the identification of root causes to
problems and workarounds to incidents.

9.6

Given the sensitivity of the PII in the system, manner of use, and established safeguards, describe the
expected residual risk related to access.
EDGAR is used to process a vast amount of company information provided by filers. The SEC has implemented
substantial safeguards, including access controls, encryption of non-public data, and firewalls, to protect this
information, but there is always a minimal risk of sharing or disclosure to unauthorized individuals.

Page 7 of 7


File Typeapplication/pdf
File TitleThe mission of the Securities and Exchange Commission (SEC) is to protect investors; maintain fair, orderly, and efficient marke
File Modified2020-02-26
File Created2020-02-26

© 2024 OMB.report | Privacy Policy