Faces Pia

Privacy Impact Assessment
for the

Federal Annuity Claims Expert System
(FACES)
December 21, 2017
Contact Point
Nicholas Ashenden
Deputy Associate Director
Retirement Services
Reviewing Official
Kellie Cosgrove Riley
Chief Privacy Officer

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 1

Abstract
The U.S. Office of Personnel Management Office of Retirement Services
manages the Federal Annuity Claims Expert System (FACES). FACES is a
mission critical application that Retirement Services uses to compute Civil
Service and Federal Employees Retirement Systems benefits for federal
retirees and their survivors. This Privacy Impact Assessment is being
conducted because FACES collects, maintains, and uses personally
identifiable information about federal retirees and their survivors.

Overview
FACES is an information technology tool that assists the Office of Personnel
Management’s (OPM) Office of Retirement Services (RS) in calculating
annuities based on federal employees’ records of federal service. It is
comprised of two components: the Retirement Benefits Calculator (RBC)
and the Retirement Benefits Estimator (RBE).
The Retirement Benefits Calculator (RBC) is used to calculate annuities
based on federal employees’ records of federal service from either the Civil
Service Retirement System (CSRS) or the Federal Employees Retirement
System (FERS). These retirement annuities are based on payroll and
personnel documents submitted by the federal employee’s agency.
Legal Administrative Specialists (LAS) compute annuities from paper based
records submitted by the retiring employee’s agency. RBC computational
data, once adjudicated and reviewed, is encrypted and sent from FACES to
the Annuity Roll System (ARS) for payment, tracking, and other appropriate
actions needed for benefits management. A print out of the computation is
also placed in the individual’s retirement case file.
The RBC provides a web interface to access the Service Credit Redeposit
(SCRD) system, which provides federal employees an opportunity to make
payments into their retirement funds for periods of service during which they
either did not contribute, or for which they previously received a refund of
their contributions. It allows the LAS to view, print and close SCRD accounts
when the federal employee retires. When the LAS closes out the retiree’s
SCRD account, a printout is added to the retirement case file before the case
has been trigged and processed through to ARS. The Retirement Benefits
Estimator (RBE) is a web-based FACES component. Federal Retirement
Benefits Officers and Human Resource Specialists outside of OPM use the
RBE to compute retirement annuity estimates for federal employees
considering retirement. These estimates are computed by using the federal
employee’s personnel records. These estimates are not passed to the RBC

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 2

and are considered the agency’s information, until the employee retires.

Section 1.0 Authorities and Other Requirements
1.1 What specific legal authorities and/or agreements permit and
define the collection of information by the project in question?
The Civil Service Retirement System (CSRS) is administered pursuant to 5
U.S.C. Chapter 83 and the Federal Employee Retirement System (FERS) is
administered pursuant to 5 U.S.C. Chapter 84. The authority for
maintenance of the system includes the following with any revisions or
amendments: Section 3301 and chapters 83, 84, 87, 89 and 90 of title 5,
United States Code, Pub. L. 83-598, 84-356, 86-724, 94-455, and 106-265;
and Executive Order 9397, as amended by 13478.
1.2 What Privacy Act System of Records Notice(s) (SORN(s)
applies to the information?
The SORN that applies to the information in FACES is OPM/Central-1, Civil
Service Retirement and Benefits Records.
1.3 Has a system security plan been completed for the information
system(s) supporting the project?
The system security plan was completed as part of the Authority to Operate
that was granted to FACES on October 24, 2016.
1.4 Does a records retention schedule approved by the National
Archives and Records Administration (NARA) exist?
A schedule is under review by NARA. In accordance with NARA regulations,
these records are considered permanent until the schedule has been
approved.
1.5 If the information is covered by the Paperwork Reduction Act
(PRA), provide the OMB Control number and the agency number for
the collection.
Standard Forms:
SF-2800, Application for Death Benefits (Civil Service Retirement System),
OMB No. 3206-0156

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 3

SF-2802, Application for Refund of Retirement Deductions (CSRS), OMB No.
3206-0128
SF-2803, Application to Make Deposit or Redeposit, OMB No. 3206-0134
SF-2817, Life Insurance Election: Federal Employees' Group Life Insurance
Program, OMB No. 3206-0230
SF-3104 and SF-3114, Application for Death Benefit (FERS), OMB No. 32060172
SF-3106, Application for Refund of Retirement Deductions (Federal
Employees Retirement System)
OPM Forms:
OPM 1496, Application for Deferred Retirement, Civil Service Retirement
System (Separations on or after October 1, 1956), OMB No. 3206-0121
Retirement Services Forms:
Rl 20-7, Representative Payee Application, OMB No. 3206-0140
Rl 20-120, Request for Change to Unreduced Annuity, OMB No. 32206-0245
Rl 38-45, We Need the Social Security Number of the Person Named Below,
OMB No. 3206-0144
Rl 92-19, Application for Deferred or Postponed Retirement-Federal
Employees Retirement System (FERS), OMB No. 3206-0190

Section 2.0 Characterization of the Information
2.1 Identify the information the project collects, uses,
disseminates, or maintains.
FACES collects, uses, disseminates, or maintains the following information:
name, claim number, date of birth, social security number, address, marital
status, financial and banking information and key values to compute
annuity, and health care insurance information (plan and carrier details).
2.2 What are the sources of the information and how is the
information collected for the project?
Data in FACES originates primarily from the annuitant’s paper application for

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 4

benefits and from the employment records submitted by the annuitant’s
former agency. Additionally, LAS’s use information printed from SCRD via
the FACES web interface.
2.3 Does the project use information from commercial sources or
publicly available data? If so, explain why and how this information
is used.
No, FACES does not use information from commercial sources.
2.4 Discuss how accuracy of the data is ensured.
The individual’s agency certifies the periods of federal service along with the
relevant retirement documents (such as the certification of FEGLI status)
while the agency’s payroll provider audits and certifies the individual’s
payroll documents known as the Individual Retirement Record (IRR). The
certified documentation is included in the retirement application file signed
by the applicant that is sent to OPM for retirement processing. The accuracy
of the data is enforced through the separation of duties between the LAS
and an LAS reviewer. The LAS enters data from the paper based records into
FACES to compute the retirement annuity. An LAS reviewer verifies the
computational data against the paper based records before the
computational data is authorized for payment.
The FACES computational data is then set up to create transactions to ARS.
These transactions are used for payment processing to the annuitant
through the U.S. Treasury.
Additionally, every month a sample of active retirement claims is pulled from
our retirement operations center and reviewed for quality and accuracy. The
results of these monthly audits are provided to Retirement Operations for
resolution.

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 5

2.5 Privacy Impact Analysis: Related to Characterization of the
Information.
Privacy Risk
There is a risk that the information
in FACES is not accurate.

There is a risk regarding the
accuracy of information that comes
from the paper-based form
(completed by the annuitant) which
might be input incorrectly or
improperly transcribed.

Mitigation
This risk is mitigated by the detailed
procedures FACES has in place,
described in Section 2.4, to ensure
that the information is as accurate
as possible. OPM also assumes that
information regarding the Federal
employees that comes directly from
other agencies is correct and has
been validated by the employing
agency then submitted
appropriately.
This risk is mitigated by the
separations of duties between the
LAS and the LAS reviewer. There
are two levels of verification built
into these two roles as described in
Section 2.4. Additionally, there are
monthly audits conducted by the RS
QA Division, which validate and
verify the information processed by
the LAS and LAS reviewer.

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 6

Section 3.0 Uses of the Information
3.1 Describe how and why the project uses the information.
FACES uses the annuitant information listed in Section 2.1 to process Civil
Service and Federal Employees’ Retirement System retirement and survivor
benefits. These annuity benefits are based on either a retired or a deceased
federal employee’s service and salary history.
3.2 Does the project use technology to conduct electronic searches,
queries, or analyses in an electronic database to discover or locate a
predictive pattern or an anomaly? If so, state how OPM plans to use
such results.
FACES does not use any special technology or tools for electronic searches,
queries or analysis of its data.
3.3 Are there other programs/offices with assigned roles and
responsibilities within the system?
Yes, the Office of the Chief Information Office (OCIO) has access to FACES in
order to provide the following IT system services for FACES: System
Development and Lifecycle Support, System Maintenance, Patch
Management, and System Security.
3.4

Privacy Impact Analysis: Related to the Uses of Information

Privacy Risk
There is a risk that the system will
be accessed by unauthorized
individuals who do not have a need
to know the information or by
authorized individuals for an
unauthorized purpose.

Mitigation
This risk is mitigated through the
use of assigned roles with specific
responsibilities including the use of
access controls that restrict the
ability to retrieve data based on an
individual’s authorization and access
permissions that are built into the
system. The system maintains
access roles that restrict and grant
access to information and
functionality to support the unique
business process needs.

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 7

Section 4.0 Notice
4.1 How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain why not.
FACES cannot be accessed by retirees and survivors and, therefore, there is
no direct notice to individuals from the system. However, individuals
applying for benefits are provided with notice concerning the collection of
their information through Privacy Act statements on the forms that they
complete. In addition, notice is provided via the OPM/CENTRAL 1 SORN and
this PIA.
4.2 What opportunities are available for individuals to consent to
uses, decline to provide information, or opt out of the project?
Once they have completed their application for retirement benefits,
individuals do not have the opportunity to consent to the use of their
information, to decline to provide their information to FACES, nor to opt out
of having their information in FACES. However, the Privacy Act statements
on the relevant forms explain that provision of information is voluntary but
that declining to provide information may result in the inability of OPM to
process retirement benefits.
4.3 Privacy Impact Analysis: Related to Notice
Privacy Risk
Mitigation
There is a risk that individuals will
This risk is mitigated through
not know that their information is
publication of this PIA and, while not
being collected, used, and
directly referencing FACES, through
maintained in FACES in order to
the Privacy Act statements on
compute their retirement benefits.
relevant forms that explain why
information is being collected and
how it will be used.

Section 5.0 Data Retention by the project
5.1 Explain how long and for what reason the information is
retained.
Annuity calculations made in FACES are printed and placed in the retirement
case files. The electronic record of these calculations is currently retained as
a permanent record until a records schedule is approved by NARA, as
required by law. The new schedule will have the retention mandated by 5
U.S.C. § 8345(i): We will destroy the records 30 years after the date of the

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 8

employee’s death or 115 years after the date of the employee’s birth,
whichever is sooner.
5.2 Privacy Impact Analysis: Related to Retention
Privacy Risk
Mitigation
There is a risk that information will
OPM is working to mitigate this risk
be retained for longer than is
through the process required to
necessary to meet the business
establish a new records schedule in
need of the system.
order to mitigate this risk as soon as
possible.

Section 6.0 Information Sharing
6.1 Is information shared outside of OPM as part of the normal
agency operations? If so, identify the organization(s) and how the
information is accessed and how it is to be used.
Authorized Human Resource Specialists and Federal Benefits Officers from
external federal agencies enter data in the RBE to create retirement
estimates for employees considering retirement. Each federal agency benefit
officer can only view employee data from their respective agency prior to the
employee leaving the agency. OPM does not have access to these records
until the employee dies or retires. Once the data is marked as OPM’s, the
RBE record becomes a RBC record. FACES records are not shared externally
unless OPM is directed to do so by court order.
6.2 Describe how the external sharing noted in 6.1 is compatible
with the SORN noted in 1.2.
OPM does not disclose FACES records externally unless directed to do so by
court order.
6.3 Does the project place limitations on re-dissemination?
OPM does not disclose FACES records externally unless directed to do so by
court order.

6.4 Describe how the project maintains a record of any disclosures
outside of OPM.
OPM does not disclose FACES records externally unless directed to do so by
court order.

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 9

6.5

Privacy Impact Analysis: Related to Information Sharing

Privacy Risk
There is a risk that information in
the system will be shared externally
for a purpose that is inconsistent
with the purpose for which it was
collected.

Mitigation
This risk is mitigated because RS
does not disclose the information in
FACES unless required to do so by
court order, and through access
controls that permit only those with
a need to know and who have been
trained on the proper use of the
information in FACES to access the
system.

Section 7.0 Redress
7.1 What are the procedures that allow individuals to access their
information?
Individuals do not have direct access to FACES. However, individuals have
access to their retirement information through retirement booklets that are
mailed to annuitants when regular recurring payments are authorized or as
requested, after the final computational results have been sent to ARS. In
addition, annuity statements are sent to individuals when adjustments to
recurring monthly payments occur. Individuals can also access their
information through Services Online (https://www.servicesonline.opm.gov)
and annual notices are sent at the beginning of each calendar year.
In addition, individuals may request access to their records by contacting the
system owner identified in the OPM/CENTRAL 1 SORN and providing the
following information: name, including all former names; date of birth;
Social Security number; the name and address of the office in which he or
she is currently or was formerly employed in the Federal service; and
annuity, service credit, or voluntary contributions account number, if
assigned. Individuals requesting access must also follow OPM's Privacy Act
regulations, 5 C.F.R. part 297, regarding verification of identity and access
to records.

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 10

7.2 What procedures are in place to allow the subject individual to
correct inaccurate or erroneous information?
Individuals do not have direct access to FACES but may contact Retirement
Services directly to notify the agency of changes to personal information.
Based on the type of change, RS may require the individual submit evidence
to prove identity and/or the validity of change.
In addition, individuals may request that their records be corrected by
contacting the system owner identified in the OPM/CENTRAL 1 SORN and
providing the following information: name, including all former names; date
of birth; Social Security number; the name and address of the office in
which he or she is currently or was formerly employed in the Federal
service; and annuity, service credit, or voluntary contributions account
number, if assigned. Individuals requesting access must also follow OPM's
Privacy Act regulations, 5 C.F.R. part 297, regarding verification of identity
and access to records.
7.3 How does the project notify individuals about the procedures
for correcting their information?
Individuals are notified at the time of retirement and through subsequent
notifications via mail about mechanisms for accessing and correcting their
information. In addition, the OPM/CENTRAL 1 SORN provides notification
concerning correcting records, as does this PIA.

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 11

7.4 Privacy Impact Analysis: Related to Redress
Privacy Risk
Mitigation
There is a risk that individuals
This risk is mitigated by affording an
may not be able to access their
opportunity to request modifications of
information in FACES nor be
records via Services Online
afforded adequate opportunity to (https://www.servicesonline.opm.gov/)
correct that information.
or calling Retirement Services directly.
Individuals may also request changes
via email at [email protected]. Users
are allowed direct access to Services
Online and other information regarding
the annuity payments, as well as the
ability to ensure all data is accurate,
relevant, and up-to-date, through
contacting agency personnel to assist
at [email protected], reference to a
Frequently-Asked-Questions webpage,
and other contact points
(https://www.opm.gov/retirementservices/contact-retirement/) where
they can obtain assistance.
There is a risk that individuals will
not be notified concerning their
ability to access and amend their
records.

This risk is mitigated through
notification that is provided to
individuals at the time of retirement,
as well as through subsequent
mailings. In addition, the
OPM/CENTRAL 1 SORN and this PIA
provide notice regarding the
procedures for accessing and
correcting information.

Section 8.0 Auditing and Accountability
8.1 How does the project ensure that the information is used in
accordance with stated practices in this PIA?
By utilizing separation of duties to review and authorize computations;
annuity computations are compared to the paper-based retirement records;
and then reviewed and authorized by RS personnel prior to payment of
benefits.

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 12

8.2 Describe what privacy training is provided to users either
generally or specifically relevant to the project.
All OPM employees and contractors must take the annual Security and
Privacy Awareness Training.
All RBE users are required to take their agency’s Security and Privacy
Awareness Training. Their supervisor, Agency Benefit’s officer and the RS
BOTD representative must certify the training. If an agency does not have
such a training, their RBE users can take the OPM training to fulfill this
requirement.
8.3 What procedures are in place to determine which users may
access the information and how does the project determine who has
access?
All federal employees requesting access to FACES must be approved by a
Federal supervisor. Contractor access is based on contractor functional
business purpose to handle FACES data and the Contracting Officer
Representative’s (COR) approval. OPM RS personnel, External Agency
Benefits Officers and Independent Auditors are required to complete RBC
and RBE forms. The RBC and RBE forms are processed and reviewed through
the RS authorization process. These forms are sent to the FACES Help Desk.
The FACES Help Desk processes these applications and manages user
account access.
There are three types of administrative roles that can update FACES User
Accounts: FACES Administrator, Administrative Assistant, or a Password
Reset Only Role. The privileges associated with these roles are summarized
as follows:
8.4 How does the project review and approve information sharing
agreements, MOUs, new uses of the information, new access to the
system by organizations within OPM and outside?
Any new information sharing agreements or memoranda of understanding,
and any new uses of the FACES information or new access to the FACES
system, must be approved by the FACES System Owner in coordination with
the requesting Agency and the appropriate OPM offices.

Privacy Impact Assessment
Federal Annuity Claims Expert System (FACES)
Page 13

Responsible Official
Nicholas Ashenden
Deputy Associate Director
Retirement Operations
Retirement Services

Approval Signature

KELLIE RILEY

Digitally signed by KELLIE RILEY
Date: 2017.12.21 12:12:52 -05'00'

Kellie Cosgrove Riley
Chief Privacy Officer
Office of Personnel Management