Privacy Impact Assessment (PIA)

privacy-pia-fema-csas-february2014_0.pdf

Federal Emergency Management Agency Individual Assistance Customer Satisfaction Surveys

Privacy Impact Assessment (PIA)

OMB: 1660-0143

Document [pdf]
Download: pdf | pdf
Privacy Impact Assessment
for the

Customer Satisfaction Analysis System
(CSAS)
DHS/FEMA/PIA-035
February 27, 2014
Contact Point
Gena Fry
Customer Satisfaction Analysis Section
Texas National Processing Service Center
(940) 891-8543
Reviewing Official
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 1

Abstract
The Federal Emergency Management Agency (FEMA) Recovery Directorate, Customer
Satisfaction Analysis (CSA) Section owns and administers the Customer Satisfaction Analysis
System (CSAS). CSAS collects, stores, and reports on responses received through surveys,
questionnaires, focus groups, and/or one-on-one interviews designed to assess customer
satisfaction and improving FEMA services. FEMA is conducting this PIA because CSAS stores
personally identifiable information (PII) from FEMA employees and members of the public in
order to conduct CSA’s customer service satisfaction assessments.

Overview
FEMA’s Recovery Directorate, Customer Satisfaction Analysis (CSA) Section ensures
that internal and external customer’s views are represented in improving disaster recovery
services. CSA measures customer (e.g., individual assistance and public assistance applicants
and FEMA employees) opinions in order to improve and enhance FEMA’s performance
consistent with FEMA’s all-hazards response mission under the Robert T. Stafford Act (Stafford
Act)1 and the Sandy Recovery Improvement Act (SRIA) of 2013,2 and as required by the
Government Performance and Results Act (GPRA),3 the Government Performance and Results
Modernization Act of 2010;4 and relevant Executive Orders including: Executive Order No.
12862, “Setting Customer Service Standards”;5 Executive Order No. 13571, “Streamlining
Service Delivery and Improving Customer Service”;6 and Executive Order No. 13411,
“Improving Assistance for Disaster Victims”.7
The CSA Section solicits feedback from FEMA employees, contractors, and members of
the public regarding their satisfaction with FEMA services. FEMA uses questionnaires, focus
groups, and interviews to measure satisfaction with services, procedures, and systems, and to
obtain suggestions for improvement. The CSA Section analyzes the information and provides
reports to the appropriate component to improve customer service, level of assistance, and speed
of recovery.
The Customer Satisfaction Analysis System (CSAS) is the IT solution that FEMA uses to
collect and store customer satisfaction information and produce reports of FEMA customer
service assessments. CSAS consists of integrated software and technology that facilitates data
1

P.L. 93-288, as amended: (http://www.fema.gov/media-library-data/138315366995521f970b19e8eaa67087b7da9f4af706e/stafford_act_booklet_042213_508e.pdf)
2
P.L. No. 113-2 (https://www.fema.gov/about-agency/sandy-recovery-improvement-act-201
3
http://www.whitehouse.gov/omb/mgmt-gpra/index-gpra)
4
P.L. No. 111-352 (http://www.gpo.gov/fdsys/pkg/PLAW-111publ352/html/PLAW-111publ352.htm)
5
September 11, 1993, (http://www.archives.gov/federal-register/executive-orders/pdf/12862.pdf)
6
April 27, 2011, (http://www.whitehouse.gov/the-press-office/2011/04/27/executive-order-streamlining-servicedelivery-and-improving-customer-ser)
7
August 29, 2006, (http://www.gpo.gov/fdsys/pkg/WCPD-2006-09-04/pdf/WCPD-2006-09-04-Pg1527.pdf)

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 2

collection, storage, and reporting. This system includes graphical design for the development of
questionnaires, contact list management, random sampling of survey participants, exclusion of
records based on do-not-call requests or prior participation, display of the available CSAS
record8 for a telephone interview, distribution of electronic surveys, and storage of responses
received during telephone interviews or electronically submitted by respondents. CSAS also
includes the ability to generate administrative reports that comply with generally accepted survey
methodology to measure: response rates, call length, number of attempts, number of
completions, non-response types, and tabulation of responses. The system design and
functionality allows FEMA to execute multiple surveys concurrently, using consistent standards
across studies. Questions may be different, but the general collection process and lifecycle is
much the same. CSAS is capable of administering multiple types of studies including telephone
interviews, electronic questionnaires (distributed by email with a link allowing online completion
by the respondent), mixed-mode questionnaires (start as a telephone contact but offer
respondents the option to receive and complete the questionnaire online or by paper), or focus
groups.
A Typical CSAS Transaction – Individuals and Households Program (IHP) Survey
FEMA’s Enterprise Data Warehouse (EDW)9 obtains a random sample of individuals
who applied to and were eligible for assistance from FEMA’s IHP. The random sample is
usually generated 60 to 90 days after the application period for IHP assistance ends and the CSA
Section imports the information into CSAS. At this point records are dropped for previously
surveyed applicants or those who asked for no further contact. The FEMA surveyor logs into
CSAS, selecting the specific study (in this case IHP), and the first sample record is displayed
automatically. The information displayed is the applicant’s name and contact telephone numbers.
FEMA follows a standard process when the applicant answers the phone. The FEMA
surveyor asks an introductory screening question (based on the services provided by FEMA to
the applicant) to ensure he/she is speaking with the appropriate party. The surveyor then informs
the applicant of the amount of time needed to do the survey. Next, the surveyor asks the
applicant if he or she would like to volunteer to take the survey and provides the requisite verbal
privacy notice and navigates the applicant through the questionnaire, reading each question as it
displays on the CSAS screen marking the responses and entering any comments in the text boxes
(FEMA surveyors are trained not to enter PII into the text boxes). Finally, the surveyor thanks
the respondent, marks the survey as complete, and stores the results in CSAS. If the responsible
party is not available, the surveyor marks the record with the appropriate attempt type
(unavailable, no answer, busy, etc.) and CSAS displays the contact information for the next
sample record.
8
9

The “available record” is the record in CSAS pertaining to the individual being surveyed.
DHS/FEMA/PIA - 026 Operational Data Store (ODS) and Enterprise Data Warehouse (EDW)

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 3

CSAS contains business rules that pull incomplete records back up to the surveyor for
another attempt to contact an applicant. CSAS establishes these business rules within the system
to give everyone selected in the random sample an opportunity to participate in the survey.
CSAS recalls records on a different day at a different time of day, and manages commitments for
the surveyor to call the applicant back at a specific date and time. FEMA closes the study after
all attempts have been made and the number of completed surveys is sufficient to achieve
precision and confidence. FEMA decides upon the precision and confidence level based on the
size of the survey pool, how many completions are required to achieve a 95% confidence level,
and other factors as determined by CSA staff. CSAS includes a results report component that
tabulates responses and generates a summary report. All information contained within the results
report is aggregate data; no PII is contained within CSAS reports. CSA staff reviews the reports
for accuracy, analyzes the results, documents trends and recommendations, and distributes
summaries to the appropriate FEMA component(s). CSAS retains study/survey information in
the system to generate quarterly and annual reports. A CSAS program analyst runs a date-based
query to archive survey response data from the prior fiscal year and remove any PII from those
records on an annual basis. CSAS data remains in active status10 for one year. The information
is needed for that period of time to generate annual reports and to compare results. CSAS then
analyzes trends and measures of improvements, and then archives data on the FEMA server for
six years. FEMA retires the reports to the Federal Records Center three years after the close of
the report for a particular survey (also known as “cutoff”) and destroys reports 20 years after
cutoff in accordance with NARA Authority N1-311-00-1.11
FEMA protects the identity of the respondents when conducting survey/research. FEMA
informs respondents of their anonymity and does not associate their PII with their assessment
responses beyond the point of collection. In addition, FEMA limits CSAS access to staff that is
directly responsible for system administration and data collection functions. CSAS is protected
with layered user IDs and passwords, as well as additional passwords to access specific functions
within the system (e.g., an interviewer can see the information required to contact respondents
and conduct the survey but does not have access to core files, tables, or databases). FEMA only
shares aggregate survey response information with its components in addition to limiting system
access.
FEMA collects responses through surveys, questionnaires, focus groups, one-on-one
interviews via telephone, online questionnaires, and email. CSAS summarizes responses and
reports the number of responses for each question and the percentage for each response option.
CSAS may present the information, including demographic breakdowns, in the form of a graph
or chart, or in the case of open text, the unedited comments in the report. FEMA employees are
10

The data is ‘active’ as long as it is in CSAS, until it is archived.
NARA Authority N1-311-00-1: http://www.archives.gov/records-mgmt/rcs/schedules/departments/department-ofhomeland-security/rg-0311/n1-311-95-002_sf115.pdf
11

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 4

specifically trained not to put PII in the unedited comment fields. CSAS uses formulas to
compute results when the agency component requires special calculations for performance
measurements and also generates survey administration reports to manage survey operations.
Reports summarize the number of completions, attempts, attempt types, productivity
information, call length, and available sample. These reports help FEMA assign work, determine
when studies can be closed, and measure average handling-time per phone call to assess the
burden to the public of a given survey. The system does not create new information at the
survey respondent level.
CSAS stores the minimum amount and types of PII necessary to contact disaster
survivors, emergency managers or FEMA employees, and contractors. PII includes name(s),
title(s), telephone number(s), email address(s), and mailing address(s). CSAS also stores non-PII
secondary information, such as Small Business Administration (SBA) referral status, other needs
referral,12 and American Red Cross referral, which FEMA uses to determine if a survey question
is appropriate based on applicant-specific circumstances, services, damages, and experiences
during the recovery cycle. CSAS stores FEMA registration/application numbers and uses them
as a key to prevent burdening members of the public with multiple contacts across different
studies. CSAS analyzes and reports aggregated demographic survey responses that include:
disaster numbers; disaster types; disaster states; grantee type; age; zip code; annual income
range; name(s) of FEMA representative(s) providing assistance; length of service; and reporting
organization. In addition to FEMA EDW noted above, CSAS obtains lists of disaster survivors’
contact information from the Disaster Recovery Center (DRC) Visitor Logs, the Recovery
Information Management System (RIMS),13 Housing Operations Management Systems
(HOMES),14 or, in the case of disaster managers and FEMA staff surveys, from the component
requesting the study.

Section 1.0 Authorities and Other Requirements
1.1



12

What specific legal authorities and/or agreements permit and
define the collection of information by the project in question?
Government Performance and Results Act of 1993 (GPRA);15
Government Performance and Results Modernization Act of 2010;16
Executive Order No. 12862, “Setting Customer Service Standards”;17

Other needs referrals are referrals to other organizations (such as community-based organizations) for items that
FEMA does not provide (e.g., blankets and razors).
13
RIMS is currently under review by the DHS Privacy Office. Information collected by RIMS will receive privacy
documentation if necessary.
14
HOMES information is covered by the DHS/FEMA/PIA-027 National Emergency Management Information
System-Individual Assistance (NEMIS-IA) Web-based and Client-based Modules.
15
P.L. No. 103-62 (http://www.whitehouse.gov/omb/mgmt-gpra/index-gpra)
16
P.L. No. 111-352 (http://www.gpo.gov/fdsys/pkg/PLAW-111publ352/html/PLAW-111publ352.htm)

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 5






1.2

E-Government Act of 2002;18
Executive Order No. 13571, “Streamlining Service Delivery and Improving Customer
Service”;19
Executive Order No. 13411, “Improving Assistance for Disaster Victims”;20 and
Sandy Recovery Act of 2013.21

What Privacy Act System of Records Notice(s) (SORN(s)) apply
to the information?

Information collected, stored, used, and shared by CSAS is covered by the following
SORNs: DHS/FEMA – 008 Disaster Recovery Assistance Files System of Records22 covers
information collected from individual assistance (IA) recipients and DHS/FEMA – 009 Hazard
Mitigation, Disaster Public Assistance, and Loan Programs System of Records covers
information collected from public assistance (PA) recipients.23 The DHS/ALL – 004 General
Information Access Account Records System (GITAARS) System of Records 24 covers
information collection from DHS employees and contractors for the purpose of creating user
accounts in CSAS.

1.3

Has a system security plan been completed for the information
system(s) supporting the project?

The CSAS System Security Plan is under development. An interim 6-month Authority to
Operate (ATO) was approved on January 2, 2014.

1.4

Does a records retention schedule approved by the National
Archives and Records Administration (NARA) exist?

CSAS maintains records under “Customer Service Satisfaction Surveys,”25 in accordance
with NARA Authority N1-311-00-1. Reports are retired to the Federal Records Center three
years after cutoff and destroyed 20 years after cutoff. CSAS records are electronically archived
and destroyed in accordance with the retention schedule above or when no longer needed for
reference.
17

September 11, 1993, (http://www.archives.gov/federal-register/executive-orders/pdf/12862.pdf)
P.L. 104-347 (http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf)
19
April 27, 2011, (http://www.whitehouse.gov/the-press-office/2011/04/27/executive-order-streamlining-servicedelivery-and-improving-customer-ser)
20
August 29, 2006, (http://www.gpo.gov/fdsys/pkg/WCPD-2006-09-04/pdf/WCPD-2006-09-04-Pg1527.pdf)
21
P. L. No. 113-2 (https://www.fema.gov/about-agency/sandy-recovery-improvement-act-201)
22
DHS/FEMA-008 - Disaster Recovery Assistance Files, April 30, 2013, 78 FR 25282
23
This SORN has been submitted to the Federal Register for approval and will be posted on the DHS Privacy
Website (http://www.dhs.gov/system-records-notices-sorns) when published.
24
DHS/ALL-004 - General Information Technology Access Account Records System (GITAARS), November 27,
2012, 77 FR 70792
25
FEMA Records Disposition Schedule File Number/Series DAP-14
18

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 6

1.5

If the information is covered by the Paperwork Reduction Act
(PRA), provide the OMB Control number and the agency number
for the collection. If there are multiple forms, include a list in an
appendix.

CSAS includes Information Collections for Individual Assistance Customer Satisfaction
Surveys OMB 1660-0036; 1660-0128; 1660-0129;26 and Public Assistance Customer
Satisfaction Survey OMB 1660-0107.27 A list of forms is provided in Appendix A.

Section 2.0 Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected, as
well as reasons for its collection.

2.1

Identify the information the project collects, uses, disseminates, or
maintains.

CSAS collects and stores the following information:
From IA applicants:

26
27



Applicant name (first and last);



Disability and functional need types;



Age;



Gross income;



Disaster number;



Disaster registration number;



Registration date;



Telephone number(s);



Email address;



Physical location of damaged address (including city, county, and zip code);



IA programs referred to;



Eligibility for IA programs referred to;



Other referral types;

Expires August 31, 2014.
Expires August 31, 2015.

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 7



Subsequent contact or visit date;



Subsequent contact type;



Preferred language;



Housing unit interview date;



Housing unit eligibility;



Housing unit type;



Housing unit location;



Lease-in/lease out dates;



Maintenance activity type;



Maintenance activity date; and



Customer service assessment responses.

From PA applicants:


Applicant name (first and last);



Primary contact name;



Alternate contact name;



Contact titles;



Contact telephone numbers;



Contact mailing addresses including zip code;



Contact email addresses;



Disaster number;



Applicant identification code;



Applicant type;



Grant type;



Grantee type;



Private non-profit type;



Private non-profit status;



Number of large projects;

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 8



Number of small projects and eligibility;



County; and



Customer service assessment responses.

From FEMA employees/contractors
o

FEMA employee/contractor name and title;

o

Email address;

o

Contact telephone numbers;

o

Component;

o

Directorate;

o

Work location;

o

Education level attained;28

o

Length of service;

o

Time in current position; and

o

Customer service assessment responses.

Information CSAS Generates
o

2.2

Assessment results reports.

What are the sources of the information and how is the
information collected for the project?

Information collected by CSAS comes from the following sources: the FEMA EDW,
DRC Visitor Logs, RIMS, and HOMES, which supplies PII for IA and PA applicants who are
selected to participate in FEMA customer service assessments. Components requesting CSA
conducted studies provide the target respondent’s contact information, component organization
charts, or employee directories. In addition, the IA and PA applicants, FEMA employees, and
contractors are the sources of assessment responses. CSAS produces reports using information
provided by the sources noted above.

2.3

Does the project use information from commercial sources or
publicly available data? If so, explain why and how this
information is used.

CSAS does not use information from commercial sources or publicly available data.
28

This is collected from employees and may be included on a training needs assessment or a demographic variable.

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 9

2.4

Discuss how accuracy of the data is ensured.

The disaster survivor (applicant) provides information at the time he/she applies for
FEMA IA or PA (including PII) and FEMA representatives verify the information on all
subsequent contacts. FEMA assumes the information is accurate because it comes directly from
the applicant and is updated in the source system. FEMA pulls the survey sample from the EDW
a day or two before survey contacts begin, which ensures the most current information is used.
Data collected by CSA survey staff during interviews is monitored by the Quality Assurance
team and by CSA supervisors to ensure accuracy of survey questions response data entry.

2.5

Privacy Impact Analysis: Related to Characterization of the
Information

Privacy Risk: There is a risk that CSAS may maintain inaccurate information on disaster
assistance applicants.
Mitigation: FEMA mitigates this risk by conducting customer service assessments in a
timely fashion and generating a sample population 60 to 90 days after the application period for
assistance ends. Risk is also mitigated by collecting information directly from the applicants. In
addition, within this timeframe, IA and PA data are replicated to EDW at consistent intervals to
ensure the most up-to-date information is imported in CSAS when the sample is selected.

Section 3.0 Uses of the Information
The following questions require a clear description of the project’s use of information.

3.1

Describe how and why the project uses the information.

FEMA uses respondent-specific data elements such as telephone numbers, email
addresses, and mailing addresses to contact the respondent and complete the survey
questionnaire either by telephone, electronic distribution, or paper via U.S. mail. FEMA uses
data elements related to respondent-specific referrals, eligibility, services, programs, or processes
to ensure the respondent is asked only questions that are directly related to his/her areas of
experience. Demographic information such as age, income, or county is used to summarize
survey responses for aggregate results reports.

3.2

Does the project use technology to conduct electronic searches,
queries, or analyses in an electronic database to discover or locate
a predictive pattern or an anomaly? If so, state how DHS plans to
use such results.

CSAS does not conduct searches, queries, or analyses to discover or locate predictive
patterns or anomalies.

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 10

3.3

Are there other components with assigned roles and
responsibilities within the system?

No other DHS components have access to CSAS.

3.4

Privacy Impact Analysis: Related to the Uses of Information

Privacy Risk: There is a risk that FEMA could use information in CSAS for purposes
other than that for which the information was collected.
Mitigation: FEMA mitigates this risk by limiting the collection of information that is
necessary to identify the respondent’s assistance status, contact individuals, and collect their
customer service assessment responses.

Section 4.0 Notice
4.1

How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain why
not.

FEMA provides notice to individuals participating in customer satisfaction assessments
through a variety of media. First, FEMA provides a written Privacy Act Statement (Appendix B)
to its survey respondents. Second, FEMA CSA staff conducting assessments provides a verbal
privacy notice to respondents prior to collecting their assessment information. Finally, the
DHS/FEMA 008 – Disaster Recovery Assistance Files SORN and the DHS/FEMA – 009 Hazard
Mitigation, Disaster Public Assistance, and Disaster Loan SORN provide notice of FEMA’s
collection and use of information for its customer service assessments.

4.2

What opportunities are available for individuals to consent to
uses, decline to provide information, or opt out of the project?

The Privacy Act statement informs individuals that participation in surveys and focus
groups is voluntary and that failure to provide information will not impact their eligibility for, or
the provisions of, FEMA programs. Individuals may decline to provide information or opt-out of
participating in the survey or focus group at the time of notice. In cases when the respondent
initially opted-in, they can leave the call, electronic questionnaire, or focus group at any time.
There is no obligation to complete the process should the respondent change his or her mind.

4.3

Privacy Impact Analysis: Related to Notice

Privacy Risk: There is a risk that individuals participating in FEMA customer service
assessments will not receive a Privacy Act notice at the time their information is collected.
Mitigation: FEMA mitigates this risk by providing notice of collection of PII for
customer service assessments through a variety of media. FEMA provides a Privacy Act

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 11

Statement to survey respondents regardless of how the information is collected. FEMA CSA
staff provides a verbal privacy notice to respondents prior to collecting their assessment
information; and the DHS/FEMA 008 – Disaster Recovery Assistance Files SORN and the
DHS/FEMA – 009 Hazard Mitigation, Disaster Public Assistance, and Disaster Loan SORN
provide notice of FEMA’s collection and use of information for its customer service
assessments.

Section 5.0 Data Retention by the project
The following questions are intended to outline how long the project retains the information after the initial
collection.

5.1

Explain how long and for what reason the information is retained.

CSAS data remains in active status for one year. FEMA needs the information for this
period of time to generate annual reports, compare results, analyze trends, and measure
improvements. Data is archived on the FEMA server for six years. In accordance with NARA
Authority N1-311-00-1, reports are retired to the Federal Records Center three years after cutoff
and destroyed 20 years after cutoff.

5.2

Privacy Impact Analysis: Related to Retention

Privacy Risk: There is a risk that CSAS will retain information longer than necessary.
Mitigation: FEMA mitigates this risk by minimizing the time it keeps the data in line
with the mission of its customer service assessment programs. FEMA also uses NARA-approved
retention schedules to retain and eventually dispose of the data. In addition, FEMA leverages
training and documentation, such as standard operating procedures, to inform FEMA users of
proper record retention standards.

Section 6.0 Information Sharing
The following questions are intended to describe the scope of the project information sharing external to
the Department. External sharing encompasses sharing with other federal, state and local government and private
sector entities.

6.1 Is information shared outside of DHS as part of the normal
agency operations? If so, identify the organization(s) and how the
information is accessed and how it is to be used.
Information in CSAS (whether related to IA applicants, PA applicants, or to FEMA
employees/contractors) is not shared outside of DHS as part of normal agency operations.
Reports are shared outside of DHS to NARA; however, these reports do not contain any PII.

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 12

Information about IA applicants, PA applicants, or DHS employees/contractors may be shared
externally subject to their applicable PIAs and SORNs.29

6.2

Describe how the external sharing noted in 6.1 is compatible with
the SORN noted in 1.2.

Information in CSAS (whether related to IA or PA or to FEMA employees/contractors) is
not shared outside of DHS.

6.3

Does the project place limitations on re-dissemination?

PII from CSAS is not shared outside of DHS, and therefore, is not re-disseminated.

6.4

Describe how the project maintains a record of any disclosures
outside of the Department.

Requests for CSAS records should be made to the FEMA Disclosure Officer, who
maintains the accounting of what records are disclosed and to whom.

6.5

Privacy Impact Analysis: Related to Information Sharing

Privacy Risk: There is a risk that information in CSAS could be erroneously disclosed.
Mitigation: FEMA mitigates this risk by restricting its sharing of the information in
CSAS outside of DHS pursuant only to the routine uses found in the DHS/FEMA – 008 Disaster
Recovery Assistance Files SORN, the DHS/FEMA – 009 Hazard Mitigation, Disaster Public
Assistance, and Disaster Loan SORN, and pursuant to a written request submitted to the FEMA
Disclosure Office. FEMA may also release CSAS reports pursuant to a request made under the
Freedom of Information Act.

Section 7.0 Redress
The following questions seek information about processes in place for individuals to seek redress which
may include access to records about themselves, ensuring the accuracy of the information collected about them,
and/or filing complaints.

7.1

What are the procedures that allow individuals to access their
information?

Information in CSAS from IA applicants is part of the DHS/FEMA – 008 Disaster
Recovery Assistance Files SORN, and information from PA applicants is part of the DHS/FEMA
29

IA applicant information: DHS/FEMA/PIA-027 National Emergency Management Information System-Individual
Assistance (NEMIS-IA) Web-based and Client-based Modules; and DHS/FEMA – 008 Disaster Recovery
Assistance Files System of Records. PA applicant information: DHS/FEMA/PIA-026 Operational Data Store
(ODS) and Enterprise Data Warehouse (EDW) and DHS/FEMA/PIA-009 Document Management and Records
Tracking System (DMARTS) SORN. DHS employee/contractor information: DHS/ALL-004 - General Information
Technology Access Account Records System (GITAARS).

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 13

– 009 Hazard Mitigation, Disaster Public Assistance, and Disaster Loan SORN. Individuals may
access their information via a Privacy Act or FOIA request to the DHS Headquarters or the
FEMA Disclosure Officer pursuant to the instructions in those SORNs.
Individuals are able to change incorrect information within CSAS by contacting the
specific FEMA department that conducted the survey (e.g., the IA or PA program) and
correcting the data in the source system (ODS/EDW). Employees or contractors who want access
their information can contact their component.

7.2

What procedures are in place to allow the subject individual to
correct inaccurate or erroneous information?

FEMA disaster assistance applicants participating in customer service assessments may

correct inaccurate data via the processes noted in Section 7.1 above. IA disaster applicants may
submit an amendment to their information in the aforementioned DHS/FEMA – 008 Disaster
Recovery Assistance Files SORN following a Privacy Act request to the FEMA Disclosure
Office. PA disaster applicants may submit an amendment to their information in the
aforementioned DHS/FEMA – 009 Hazard Mitigation, Disaster Public Assistance, and Disaster
Loans SORN. Such requests should be sent to: FEMA Disclosure Officer, Records Management
Division, 500 C Street, SW, Washington, DC 20472.

7.3

How does the project notify individuals about the procedures for
correcting their information?

This PIA and the associated SORNs provide notice regarding ways in which IA and PA
recipients participating in customer service assessments may correct their information.

7.4

Privacy Impact Analysis: Related to Redress

Privacy Risk: There is a risk that individuals whose information appears in the CSAS
system will be unaware of the redress process.
Mitigation: FEMA mitigates this risk because this PIA and the associated SORNs
provide the notice of the redress process to those recipients of FEMA’s IA and PA funds who are
participating in FEMA’s customer service assessments.

Section 8.0 Auditing and Accountability
8.1

How does the project ensure that the information is used in
accordance with stated practices in this PIA?

FEMA ensures that the practices stated in this PIA are followed by leveraging training,
policies, rules of behavior, and auditing and accountability. Some practices (such as the data
retention and deletion processes) are also automated to ensure compliance.

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 14

8.2

Describe what privacy training is provided to users either
generally or specifically relevant to the project

All CSAS users must complete mandatory FEMA Privacy Awareness and Security
Awareness training on an annual basis. The CSA Section manager and supervisors ensure that
their employees have completed and passed all training. FEMA employees are specifically
trained not to enter PII in unedited comment fields.

8.3

What procedures are in place to determine which users may
access the information and how does the project determine who
has access?

FEMA allows access to CSAS by CSA Section staff30 only. FEMA grants CSAS user
rights to individuals with responsibility for a specific system function. The CSA supervisor
initiates the access authorization process. The supervisor emails the Technical Management
Office (TMO) and provides the CSA employee’s name, assigned user ID, and role. TMO
submits a request to IT to provide the server and folder level access for the specific role. IT
notifies the employee and TMO when folder level access is available. TMO then updates CSAS
interview ID, skills, and assignment tables. The process for removing or changing a user access
is initiated by the CSA supervisor and follows the same process flow.
The Interviewer role allows a minimum level of access to CSAS. Interviewers can view
information required to contact respondents and conduct the survey but cannot view or access
core files, tables, or databases.
CSA Specialists have all of the rights of an Interviewer and can also perform basic
administrative tasks like loading survey sample, adjusting quotas, running survey status reports,
and results reports.
Program Analysts and Technical Specialists have all of CSA Specialist rights plus the
ability to create and activate new study questionnaires, build study specific business rules, design
and build administrative and results reports, and run queries.
Remote access is an essential element in FEMA’s move toward a virtual work
environment. CSAS is accessible to CSA staff that has been authorized to telework using
FEMA’s Virtual Private Network (VPN).

8.4 How does the project review and approve information sharing
agreements, MOUs, new uses of the information, new access to the
system by organizations within DHS and outside?

30

CSA Section - Recovery Directorate, Customer Satisfaction Analysis (CSA) Section

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 15

CSAS does not require information sharing agreements or MOUs; however, the project
has a process to review such agreements if it becomes necessary. This process involves review
by the FEMA IT Security Branch, FEMA Privacy Officer, and Office of Chief Counsel prior to
sending to the DHS Privacy Office for formal review and clearance. Similarly, CSAS will
leverage its stakeholders in the process of reviewing and approving any new uses for the project.

Responsible Officials
Eric M. Leckey
Privacy Officer
Federal Emergency Management Agency
U.S. Department of Homeland Security

Approval Signature

Original signed and on file with the DHS Privacy Office
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 16

APPENDIX A: FEMA Forms and OMB Control Numbers
o OMB Control No. 1660-0036 “Federal Emergency Management Agency (FEMA)
Individual Assistance Customer Satisfaction Surveys”
o Casework Survey – 1660-0036 Form 007-0-06
o Helpline/Contact Survey – 1660-0036 Form 007-0-05
o Internet Inquiry Survey – 1660-0036 Form 007-0-19
o Internet Inquiry Online Survey – 1660-0036 Form 007-0-19INT
o Internet Registration Survey – 1660-0036 Form 007-0-02
o Internet Registration Online Survey – 1660-0036 Form 007-0-02INT
o Disaster Recovery Center Survey – 1660-0036 Form 007-0-07
o Registration Survey – 1660-0036 Form 007-0-03
o Disaster Housing Operations Move In Survey – 1660-0036 Form 007-0-04
o Disaster Housing Operations Maintenance Survey – 1660-0036 Form 007-0-X
o Disaster Housing Operations Move Out Survey – 1660-0036 Form 007-0-X
o OMB Control No. 1660-107 “Public Assistance Customer Satisfaction Survey”
o Public Assistance Customer Satisfaction Survey – 1660-0107 Form 519-0-1T
o Public Assistance Customer Satisfaction Survey – 1660-0107 Form 519-0-1INT
o OMB Control No. 1660-0128 “Federal Emergency Management Agency
Individual Assistance Program Effectiveness & Recovery Survey”
o Program Effectiveness and Recovery Survey – 1660-0128 Form 007-0-20
o OMB Control No. 1660-0129 “Federal Emergency Management Agency
Individual Assistance Follow-Up Program Effectiveness & Recovery”
o Follow-up Program Effectiveness and Recovery Survey – 1660-0129 Form 0070-14

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 17

APPENDIX B: e3 Privacy Act Statement for Individual Assistance Assessments
AUTHORITY: Government Performance and Results Act (GPRA), 5 U.S.C. Ch. 3 as amended
and the GPRA of 2010 (P.L. 111-352); Executive Order (EO) 12862, “Setting Customer Service
Standards;” and its March 23, 1995 Memorandum addendum, “Improving Customer Service”;
Executive Order 13411 “Improving Assistance for Disaster Victims”; Executive Order 13571
“Streamlining Service Delivery and Improving Customer Service”; and its June 13, 2011
Memorandum “Implementing Executive Order 13571 on Streamlining Service Delivery and
Improving Customer Service”.
PRINCIPAL PURPOSE(S): DHS/FEMA collects this information to measure Individual
Assistance customers’ satisfaction with FEMA services.
ROUTINE USE(S): This information is used for the principal purpose(s) noted above and will
not be shared outside of DHS/FEMA, except as allowed under DHS/FEMA – 008 Disaster
Recovery Assistance Files (April 30, 2013, 78 FR 25282), or as required by law.
DISCLOSURE: The disclosure of information on this form is strictly voluntary and will assist
FEMA in making improvements to its Individual Assistance program; failure to provide the
information requested will not impact the provision of FEMA Individual Assistance to qualified
entities.

Privacy Impact Assessment
Customer Satisfaction Analysis System (CSAS)
Federal Emergency Management Agency
Page 18

APPENDIX C: e3 Privacy Act Statement for Public Assistance Assessments
AUTHORITY: Government Performance and Results Act (GPRA), 5 U.S.C. Ch. 3 as amended
and the GPRA of 2010 (P.L. 111-352); Executive Order (EO) 12862 “Setting Customer Service
Standards;” and its March 23, 1995 Memorandum addendum, “Improving Customer Service;”
Executive Order 13411 “Improving Assistance for Disaster Victims;” Executive Order 13571
“Streamlining Service Delivery and Improving Customer Service;” and its June 13, 2011
Memorandum “Implementing Executive Order 13571 on Streamlining Service Delivery and
Improving Customer Service.”
PRINCIPAL PURPOSE(S): DHS/FEMA collects this information to measure Public
Assistance customers’ satisfaction with FEMA services.
ROUTINE USE(S): This information is used for the principal purpose(s) noted above and will
not be shared outside of DHS/FEMA, except as allowed under DHS/FEMA – 009 Hazard
Mitigation Assistance, Public Assistance, and Disaster Loan System of Records, or as required
by law.
DISCLOSURE: The disclosure of information on this form is strictly voluntary and will assist
FEMA in making improvements to its Public Assistance program; failure to provide the
information requested will not impact the provision of FEMA Public Assistance to qualified
entities.


File Typeapplication/pdf
File TitleCustomer Satisfaction Analysis System (CSAS) PIA
AuthorDepartment Of Homeland Security Privacy Office
File Modified2014-03-04
File Created2014-03-04

© 2024 OMB.report | Privacy Policy