Download:
pdf |
pdfPrivacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 1 of 8
PRIVACY THRESHOLD ANALYSIS (PTA)
This form is used to determine whether
a Privacy Impact Assessment is required.
Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is required under
the E-Government Act of 2002 and the Homeland Security Act of 2002.
Please complete this form and send it to your component Privacy Office. If you do not have a component
Privacy Office, please send the PTA to the DHS Privacy Office:
Senior Director, Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]
Upon receipt from your component Privacy Office, the DHS Privacy Office will review this form. If a
PIA is required, the DHS Privacy Office will send you a copy of the Official Privacy Impact Assessment
Guide and accompanying Template to complete and return.
A copy of the Guide and Template is available on the DHS Privacy Office website,
www.dhs.gov/privacy, on DHSConnect and directly from the DHS Privacy Office via email:
[email protected], phone: 202-343-1717.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 2 of 8
PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:
FEDERAL ASSISTANCE FOR OFFSITE RADIOLOGICAL EMERGENCY
PLANNING [OMB # 1660-0024]
Component:
Federal Emergency
Management Agency (FEMA)
Office or
Program:
Radiological Emergency
Preparedness Program
(REP), Professional Services
& Integration, Technological
Hazards Division (THD),
National Preparedness
Directorate (NPD)
Xacta FISMA
Name (if
applicable):
Click here to enter text.
Xacta FISMA
Number (if
applicable):
Click here to enter text.
Type of Project or
Program:
Form or other Information
Collection
Project or
program
status:
Existing
Date first
developed:
Date of last PTA
update
January 1, 2005
Pilot launch
date:
Click here to enter a date.
November 1, 2012
Pilot end date:
Click here to enter a date.
ATO Status (if
applicable)
Choose an item.
ATO
expiration date
(if applicable):
Click here to enter a date.
PROJECT OR PROGRAM MANAGER
Name:
D.J. Mauldin
Office:
Radiological Preparedness
Branch
Title:
Management Analyst
Phone:
202-212-2127
Email:
[email protected]
INFORMATION SYSTEM SECURITY OFFICER (ISSO) (IF APPLICABLE)
Name:
Click here to enter text.
Phone:
Click here to enter text.
Email:
Click here to enter text.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 3 of 8
Specific PTA Questions
1. Reason for submitting the PTA: Renewal PTA
Pursuant to Executive Order 12657 (53 FR 47513, Nov. 18, 1988) whenever State or local governments,
either individually or together, decline or fail to prepare commercial nuclear power plant offsite
radiological emergency preparedness plans that are sufficient to satisfy Nuclear Regulatory Commission
(NRC) licensing requirements or to participate adequately in the preparation, demonstration, testing,
exercise, or use of such plans, a utility owner (“licensee”) which has received a license from the NRC to
operate a commercial nuclear power plant may request FEMA assistance.
FEMA regulations at 44 C.F.R. Part 352 establishes the framework for FEMA to provide Federal
assistance, or resources, to the NRC licensees. Per 44 C.F.R. 352.2(a):
“This Part applies whenever State or local governments, either individually or together, decline or fail to
prepare commercial nuclear power plant offsite radiological emergency preparedness plans that are
sufficient to satisfy NRC licensing requirements or to participate adequately in the preparation,
demonstration, testing, exercise, or use of such plans. In order to request the assistance provided for in
this Part, an affected nuclear power plant applicant or licensee shall certify in writing to FEMA that the
above situation exists.”
The licensee must submit their request for resources in a written statement to the host FEMA Regional
Office pursuant to 44 C.F.R. § 352.4. The Regional Office will then forward the request to the FEMA
Deputy Administrator for the National Preparedness Directorate for an "approve" or "decline"
determination. The request becomes part of FEMA's official record, and is stored in a file cabinet within
FEMA Headquarters.
FEMA's decision/response to the licensee's request is based on information that includes:
(1) Whether the licensee has made maximum use of its own resources; and
(2) The extent to which the licensee has complied with the 44 C.F.R. Part 352 requirements.
It should be noted that no licensee has ever requested the use of FEMA resources since the issuance of
Executive Order 12657 or 44 C.F.R. Part 352. Nevertheless, having this Collection approved and in place
eliminates the need for urgency should a licensee ever submit a request of this nature.
2. Does this system employ any of the
following technologies:
If you are using any of these technologies and
want coverage under the respective PIA for that
technology please stop here and contact the DHS
Privacy Office for further guidance.
Closed Circuit Television (CCTV)
Social Media
Web portal 1 (e.g., SharePoint)
Contact Lists
None of these
1
Informational and collaboration-based portals in operation at DHS and its components that collect, use, maintain, and share
limited personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who
seek to gain access to the portal.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 4 of 8
3. From whom does the Project or
Program collect, maintain, use, or
disseminate information?
Please check all that apply.
This program does not collect any personally
identifiable information 2
Members of the public
DHS employees/contractors (list components):
Contractors working on behalf of DHS
Employees of other federal agencies
4. What specific information about individuals is collected, generated or retained?
•
•
•
•
Name
Position Title
Business Phone Number
Business Address
4(a) Does the project, program, or system
retrieve information by personal identifier?
4(b) Does the project, program, or system
use Social Security Numbers (SSN)?
4(c) If yes, please provide the specific legal
basis and purpose for the collection of
SSNs:
4(d) If yes, please describe the uses of the
SSNs within the project, program, or
system:
4(e) If this project, program, or system is
an information technology/system, does it
relate solely to infrastructure?
No. Please continue to next question.
Yes. If yes, please list all personal identifiers
used:
No.
Yes.
Click here to enter text.
Click here to enter text.
No. Please continue to next question.
Yes. If a log kept of communication traffic,
please answer the following question.
For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?
4(f) If header or payload data 3 is stored in the communication traffic log, please detail the data
2
DHS defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 5 of 8
elements stored.
Click here to enter text.
No.
Yes. If yes, please list:
5. Does this project, program, or system
connect, receive, or share PII with any
other DHS programs or systems 4?
In accordance with the 44 C.F.R. Part 352, Subpart
B, FEMA may call upon any Federal agency to
participate in planning for the use of Federal
facilities and resources in the licensee offsite
emergency response plan. Licensee contact
information may be shared with such agencies as
needed to assist with the offsite emergency response
plan.
No.
Yes. If yes, please list:
6. Does this project, program, or system
connect, receive, or share PII with any
external (non-DHS) partners or
systems?
6(a) Is this external sharing pursuant to
new or existing information sharing
access agreement (MOU, MOA, LOI,
etc.)?
3
In accordance with the 44 C.F.R. Part 352, Subpart
B, FEMA may call upon any Federal agency to
participate in planning for the use of Federal
facilities and resources in the licensee offsite
emergency response plan. Licensee contact
information may be shared with such agencies as
needed to assist with the offsite emergency response
plan.
Choose an item. Not Applicable.
Please describe applicable information sharing
governance in place:
Since no licensee has ever requested the use of
FEMA resources since the issuance of Executive
When data is sent over the Internet, each unit transmitted includes both header information and the actual data being sent. The
header identifies the source and destination of the packet, while the actual data is referred to as the payload. Because header
information, or overhead data, is only used in the transmission process, it is stripped from the packet when it reaches its
destination. Therefore, the payload is the only data received by the destination system.
4
PII may be shared, received, or connected to other DHS systems directly, automatically, or by manual processes. Often, these
systems are listed as “interconnected systems” in Xacta.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 6 of 8
Order 12657 or 44 C.F.R. Part 352 there is no
information sharing agreements in place.
7. Does the project, program, or system
provide role-based training for
personnel who have access in addition
to annual privacy training required of
all DHS personnel?
8. Per NIST SP 800-53 Rev. 4, Appendix
J, does the project, program, or system
maintain an accounting of disclosures
of PII to individuals/agencies who have
requested access to their PII?
9. Is there a FIPS 199 determination? 4
No.
Yes. If yes, please list:
No. What steps will be taken to develop and
maintain the accounting:
Yes. In what format is the accounting
maintained:
Unknown.
No.
Yes. Please indicate the determinations for each
of the following:
4
Confidentiality:
Low
Moderate
High
Undefined
Integrity:
Low
Moderate
High
Undefined
Availability:
Low
Moderate
High
Undefined
FIPS 199 is the Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal
Information and Information Systems and is used to establish security categories of information systems.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 7 of 8
PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:
Tannaz Haddadi
Date submitted to Component Privacy
Office:
September 30, 2014
Date submitted to DHS Privacy Office:
October 1, 2014
Component Privacy Office Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
1660-0024 is a privacy sensitive ICR because PII is collected and retained. Since this ICR is an exercise,
FEMA Privacy recommends coverage by the DHS/FEMA/PIA-016 - Application and Registration
Records for Training and Exercise Programs (ARRTEP) PIA and DHS/FEMA-011 - Training and
Exercise Programs SORN.
(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:
Eric M. Leckey
PCTS Workflow Number:
1036050
Date approved by DHS Privacy Office:
October 1, 2014
PTA Expiration Date
October 1, 2014
DESIGNATION
Privacy Sensitive System:
Yes
Category of System:
Form/Information Collection
Determination:
PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
DHS Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact
your component PRA Officer.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 8 of 8
A Records Schedule may be required. Contact your component Records
Officer.
PIA:
DHS/FEMA/PIA-016 - Application and Registration Records for Training and Exercise
Programs (ARRTEP)
SORN:
DHS/FEMA-011 - Training and Exercise Programs
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
This ICR is privacy sensitive because it collects PII. As described in Executive Order 12657 and 44
C.F.R. Part 352 whenever State or local governments, either individually or together, decline or fail to
prepare commercial nuclear power plant offsite radiological emergency preparedness plans that are
sufficient to satisfy Nuclear Regulatory Commission (NRC) licensing requirements or to participate
adequately in the preparation, demonstration, testing, exercise, or use of such plans, a utility owner
(“licensee”) that has received a license from the NRC to operate a commercial nuclear power plant may
request FEMA assistance. It should be noted that no licensee has ever requested the use of FEMA
resources since the issuance of Executive Order 12657 or 44 C.F.R. Part 352. Nevertheless, having this
collection approved and in place eliminates the need for urgency should a licensee ever submit a request
of this nature. DHS Privacy agrees with FEMA that this ICR should be covered by the DHS/FEMA/PIA016 - Application and Registration Records for Training and Exercise Programs (ARRTEP) PIA and
DHS/FEMA-011 - Training and Exercise Programs SORN. No further action is required at this time.
�
| File Type | application/pdf |
| File Title | DHS PRIVACY OFFICE |
| Author | marilyn.powell |
| File Modified | 2014-10-01 |
| File Created | 2014-10-01 |