Download: docx | pdf

Privacy Impact Assessment

Domestic Hemp Production Program (DHPP)

• Version: 1.4

• Date: November 15, 2019

• Prepared for: USDA OCIO-Policy, E-Government and Fair Information Practices (PE&F)

Privacy Impact Assessment for the

U.S. Domestic Hemp Production Program (DHPP)

November 15, 2019

Contact Point

William F. Richmond

Agricultural Marketing Service

(202)720-9921

Reviewing Official

Teresa Gilbert

Branch Chief, MRPBS

United States Department of Agriculture

(301) 851-2524

Abstract

The new system is the AMS HEMP Program. The Agriculture Improvement Act of 2018 (2018 Farm Bill) directs the U.S. Department of Agriculture (USDA) to establish a domestic hemp production program. As part of this program, the 2018 Farm Bill requires USDA to collect data from States and Tribal Nations regarding hemp growers under their jurisdiction as well as licensing information on growers operating under the USDA hemp production plan. Additionally, the 2018 Farm Bill requires USDA to share the collected information with Federal, State, territorial, and local law enforcement. The Agricultural Marketing Service (AMS) is the USDA agency tasked with implementing the domestic hemp production program.

Overview

The system name is the AMS HEMP Program and AMS owns the system.

The 2018 Farm Bill mandates that that USDA establish the Domestic Hemp Production Program. As part of this program, the 2018 Farm Bill requires USDA to collect data from States and Tribal Nations regarding hemp growers under their jurisdiction as well as licensing information on growers operating under the USDA hemp production plan. Additionally, the 2018 Farm Bill requires USDA to share the collected information with Federal, State, territorial, and local law enforcement. The AMS HEMP Program system will leverage the Department of Justice, Drug Enforcement Administration (DEA)’s El Paso Intelligence Center (EPIC) to fulfill this requirement.

This system will provide a secure public facing interface where applicants (both individuals and businesses) can submit their licensing information, including attaching PDFs, JPEGs, DOC, etc. This system will also provide a secure interface where States and Tribal Nations may submit their state or tribal plans for USDA approval, their licensee or authorized producer information (as indicated above), land identification information, monthly reports on the disposal of non-conforming plants and materials, and annual reports.

This system will interface with Farm Service Agency (FSA) to receive information from licensees which will include: field acreage, greenhouse or indoor square footage of hemp planted; street address; geospatial location or other comparable identification method which specifies where the hemp will be produced; and legal description of the land. Additionally, this system will provide real time external reporting of relevant data to FSA and DEA.

While this system is being built, USDA will manually collect information from States, Tribes, and Laboratories, and manually share information with the DEA.

All security controls will adhere to NIST 800-53, which includes recommended security controls for Federal information Systems and organizations.

Section 1.0 Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, rule, or technology being developed.

1.1 What information is collected, used, disseminated, or maintained in the system?

The information collected and disseminated includes: name and address of grower; street address, legal description of the land, field acreage, greenhouse or indoor square footage of hemp planted; GIS coordinates of land on which hemp is grown; laboratory results from testing crop prior to harvest; report on disposal of noncompliant plants; criminal history reports; and licensing or authorization identifier and status of grower.

AMS will share information with DEA.

1.2 What are the sources of the information in the system?

AMS will receive information from FSA, States, Tribal Nations, laboratories, applicants for USDA license; and USDA-licensed growers.

1.3 Why is the information being collected, used, disseminated, or maintained?

The 2018 Farm Bill requires USDA to collect data from States and Tribal Nations regarding hemp growers under their jurisdiction as well as licensing information on growers operating under the USDA hemp production plan. Additionally, the 2018 Farm Bill requires USDA to share the collected information with Federal, State, territorial, and local law enforcement.

1.4 How is the information collected?

Electronically and in hard copy via forms.

1.5 How will the information be checked for accuracy?

The system has a series of data validation rules.  Users are responsible for checking data prior to submission, which is then reviewed by USDA. The 2018 Farm Bill requires USDA to conduct inspections and audits of individual growers licensed under the USDA hemp production plan, as well as States and Tribes administering their own hemp production plans. These inspections and audits are conducted by subject matter experts.

1.6 What specific legal authorities, arrangements, and/or agreements defined the collection of information?

Section 10113 of the 2018 Farm Bill, codified at 7 U.S.C. 1639q(d).

1.7 Privacy Impact Analysis: Given the amount and type of data collected, discuss the privacy risks identified and how they were mitigated.

Access to AMS HEMP Program is strictly controlled, with access granted through the USDA secure single sign-on application e-Authentication with level 2 validation and authorization within AMS/USDA.  The AMS HEMP Program is role based and users access the system using unique authorized accounts and are assigned level-of-access roles based on their needs.  The level of access for the user restricts the data that can be seen and the degree to which data may be modified by the user. Any information transmitted to DEA will be encrypted.

Section 2.0 Uses of the Information

The following questions are intended to delineate clearly the use of information and the accuracy of the data being used.

2.1 Describe all the uses of information.

AMS will collect the data as required by the 2018 Farm Bill to ensure compliance of the Farm Bill including sharing with the DEA who will share information with other Federal, State and local law enforcement agencies. The data is used to make licensing and compliance determinations regarding hemp growers across the United States. This could include suspension or revocation of a hemp production license, or reporting to the U.S. Attorney General.

2.2 What types of tools are used to analyze data and what type of data may be produced?

Queries will be used to retrieve and analyze data which will be shared through creation of reports.

2.3 If the system uses commercial or publicly available data please explain why and how it is used.

No commercial or publicly available data will be used.

2.4 Privacy Impact Analysis: Describe any types of controls that may be in place to ensure that information is handled in accordance with the above described uses.

See answer 1.7.

Section 3.0 Retention

The following questions are intended to outline how long information will be retained after the initial collection.

3.1 How long is information retained?

Information will be retained for five (5) years.

3.2 Has the retention period been approved by the component records officer and the National Archives and Records Administration (NARA)?

We are working with NARA to establish a records retention schedule.

3.3 Privacy Impact Analysis: Please discuss the risks associated with the length of time data is retained and how those risks are mitigated.

No risks have been identified with the stated length of time.

Section 4.0 Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the United States Department of Agriculture.

4.1 With which internal organization(s) is the information shared, what information is shared and for what purpose?

AMS will receive information on GIS coordinates of land on which hemp is grown from FSA and provide FSA with license and contact information on hemp producers.

4.2 How is the information transmitted or disclosed?

Electronically between the two Agencies.

4.3 Privacy Impact Analysis: Considering the extent of internal information sharing, discuss the privacy risks associated with the sharing and how they were mitigated.

There are limited privacy risks in the sharing of this information as the information is business-related. Risks are mitigated by only providing limited information on a need to know basis.

Section 5.0 External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to USDA which includes Federal, State and local government, and the private sector.

5.1 With which external organization(s) is the information shared, what information is shared, and for what purpose?

As required under the 2018 Farm Bill to share information with Federal, State, territorial, and local law enforcement, USDA will share information with the DEA on who is licensed to grow hemp, where the hemp is grown, and whether the producer of said hemp is in “good standing” with a USDA, State or Tribe. DEA will in turn share the information with law enforcement through EPIC.

5.2 Is the sharing of personally identifiable information outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the personally identifiable information outside of USDA.

The SORN is being published in connection with the regulations implementing the Domestic Hemp Production Program.

5.3 How is the information shared outside the Department and what security measures safeguard its transmission?

Information will be shared between AMS and DEA through an Application Program Interface.

5.4 Privacy Impact Analysis: Given the external sharing, explain the privacy risks identified and describe how they were mitigated.

Risks of exposing the limited PII that will be shared are mitigated by effective security measures. User access controls are in place which allows disclosure to only authorized DEA employees. All security controls will comply with NIST 800-53.

Section 6.0 Notice

The following questions are directed at notice to the individual of the scope of information collected, the right to consent to uses of said information, and the right to decline to provide information.

6.1 Does this system require a SORN and if so, please provide SORN name and URL.

The SORN is being published in connection with the regulations implementing the Domestic Hemp Production Program.

6.2 Was notice provided to the individual prior to collection of information?

Yes. The interim final rule implementing the Domestic Hemp Production Program described the required information that AMS will collect from individuals and how that information will be shared. Additionally, all forms will include a Privacy Act statement that will disclose the authority under which the information will be collected and how that information will be used and shared. States and Tribal Nations may also include privacy notices in their forms.

6.3 Do individuals have the opportunity and/or right to decline to provide information?

Individual may decline to provide the information. However, without the information, USDA, States, or Tribal Nations may not be able to issue or renew a license or authorization to produce hemp under the Domestic Hemp Production Program.

6.4 Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

No, all uses of the information are required by the 2018 Farm Bill and must be provided to acquire a USDA hemp grower license.

6.5 Privacy Impact Analysis: Describe how notice is provided to individuals, and how the risks associated with individuals being unaware of the collection are mitigated.

Notice is provided when users submit a license application form or enter information into the system electronically.

Section 7.0 Access, Redress and Correction

The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.

7.1 What are the procedures that allow individuals to gain access to their information?

The system will allow certain users role-based access to their data thru E-authorization.

7.2 What are the procedures for correcting inaccurate or erroneous information?

The system will allow users role-based access to their data thru E-authorization.

7.3 How are individuals notified of the procedures for correcting their information?

The application will tell users they can edit the data (i.e., edit button)

7.4 If no formal redress is provided, what alternatives are available to the individual?

Applicants/other users can email or call the general office number for the AMS HEMP Program staff.

7.5 Privacy Impact Analysis: Please discuss the privacy risks associated with the redress available to individuals and how those risks are mitigated.

The privacy risks associated with the redress available to individuals is minimal. The risks are accepted by the individual in seeking licensure by the government as all information is required by the 2018 Farm Bill. Redress is available when necessary as indicated above.

Section 8.0 Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

8.1 What procedures are in place to determine which users may access the system and are they documented?

End users have access only to their own information and have write privileges to a very limited subset of this information. 

System administrators, database administrators, and designated application representatives have customized access based on the requirements needed for completing their specific job functions.

Regarding access role management, the Agency application business owners designate internal access role administrators, and they are responsible for maintaining the access role membership.

When identity management views are assigned to a user, the view is limited to the least amount of data needed for completing the user’s specific job functions.  If Personally Identifiable Information is included in the view, the administrator receiving the view must adhere to security precautions as outlined in AMS and Department regulations.

8.2 Will Department contractors have access to the system?

Access is based on need. If there is a need to access the system, they would go through the same procedures as other users.

8.3 Describe what privacy training is provided to users either generally or specifically relevant to the program or system?

AMS requires all system users to take privacy and cybersecurity training on an annual basis. The records are stored electronically for verification purposes.

8.4 Has Certification & Accreditation been completed for the system or systems supporting the program?

In progress.

8.5 What auditing measures and technical safeguards are in place to prevent misuse of data?

The system uses e-authentication and e-authorization for role-based access to provide least privilege and prevent unauthorized access.  There is electronic validation of many of the data elements, and manual audits are conducted on a regular basis.

8.6 Privacy Impact Analysis: Given the sensitivity and scope of the information collected, as well as any information sharing conducted on the system, what privacy risks were identified and how do the security controls mitigate them?

The security controls are implemented based on the NIST SP 800-53 security control requirements and have been approved to mitigate risk to an adequate level.

The AMS Hemp Program Risk Assessment indicates that the system contains privacy information in accordance with the Privacy Act. Therefore, controls defined in NIST 800-53 have been implemented to mitigate risks. The following controls are applicable:

AR-02 – Privacy Impact and Risk Assessment

AR-05 – Privacy Awareness and Training

TR-02 – Systems of Records Notices and Privacy Act Statements

Additionally, access controls are established to ensure proper authentication and non-repudiation. Each user is required to read and acknowledge the Rules of Behavior prior to receiving account credentials.

Section 9.0 Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware and other technology.

9.1 What type of project is the program or system?

The AMS Hemp Program system is used for data collection to support compliance in establishing a domestic hemp production program as described in the 2018 Farm Bill.

9.2 Does the project employ technology which may raise privacy concerns? If so please discuss their implementation.

No.

Section 10.0 Third Party Websites/Applications

The following questions are directed at critically analyzing the privacy impact of using third party websites and/or applications.

10.1 Has the System Owner (SO) and/or Information Systems Security Program Manager (ISSPM) reviewed Office of Management and Budget (OMB) memorandums M-10-22 “Guidance for Online Use of Web Measurement and Customization Technology” and M-10-23 “Guidance for Agency Use of Third-Party Websites and Applications”?

Yes.

10.2 What is the specific purpose of the agency’s use of 3^rd party websites and/or applications?

N/A.

10.3 What personally identifiable information (PII) will become available through the agency’s use of 3^rd party websites and/or applications.

N/A.

10.4 How will the PII that becomes available through the agency’s use of 3^rd party websites and/or applications be used?

N/A.

10.5 How will the PII that becomes available through the agency’s use of 3^rd party websites and/or applications be maintained and secured?

N/A.

10.6 Is the PII that becomes available through the agency’s use of 3^rd party websites and/or applications purged periodically?

N/A.

10.7 Who will have access to PII that becomes available through the agency’s use of 3^rd party websites and/or applications?

N/A.

10.8 With whom will the PII that becomes available through the agency’s use of 3^rd party websites and/or applications be shared - either internally or externally?

N/A.

10.9 Will the activities involving the PII that becomes available through the agency’s use of 3^rd party websites and/or applications require either the creation or modification of a system of records notice (SORN)?

No.

10.10 Does the system use web measurement and customization technology?

No.

10.11 Does the system allow users to either decline to opt-in or decide to opt-out of all uses of web measurement and customization technology?

N/A.

10.12 Privacy Impact Analysis: Given the amount and type of PII that becomes available through the agency’s use of 3^rd party websites and/or applications, discuss the privacy risks identified and how they were mitigated.

N/A.

Agency Approval Signature

________________________________

System Owner

AMS HEMP Program

Agricultural Marketing Service

United States Department of Agriculture

________________________________

MRP CISO or MRP ISSPM

Marketing and Regulatory Programs

United States Department of Agriculture

________________________________

Mark R. Brook

Privacy Act Officer

Agricultural Marketing Service

United States Department of Agriculture

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Bennett, Patty - AMS
File Modified	0000-00-00
File Created	2021-08-12