Privacy Impact Assessment (PIA)

March 22, 2023 EDGAR PIA.pdf

Form 4 - Statement of Changes in Beneficial Ownership of Securities

Privacy Impact Assessment (PIA)

OMB: 3235-0287

Document [pdf]
Download: pdf | pdf
U.S. Securities and Exchange Commission

Electronic Data Gathering, Analysis and Retrieval (EDGAR)
PRIVACY IMPACT ASSESSMENT (PIA)

March 22, 2023

EDGAR Business Office

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
1.1

Name of Project or System

Section 1: System Overview

Electronic Data Gathering, Analysis and Retrieval (EDGAR)
1.2

Is the system internally or externally hosted?
☒

Internally Hosted (SEC)

☐

Externally Hosted
(Contractor or other
agency/organization)

Office of Information Technology (OIT)

1.3

Reason for completing PIA
☐ New project or system
☒ This is an existing system undergoing an update
First developed:
1/1/1992
Last updated:
12/5/2020
Description of update: This Privacy Impact Assessment (PIA) update reflects the latest collection of
information in the system, including information on addition of new regulated
entities, and changes in technology, controls and functionality. EDGAR has
undergone periodic updates since the last PIA was published; including EDGAR
system patching and security enhancements. This PIA incorporates all updates
up to and including EDGAR 22.4 release.

1.4

Does the system or program employ any of the following technologies?
☒ Enterprise Data Warehouse (EDW)
☐ Social Media
☐ Mobile Application (or GPS)
☐ Cloud Computing Services
www.sec.gov Web Portal
☒
☐ None of the Above

2.1

Section 2: Authority and Purpose of Collection
Describe the project and its purpose or function in the SEC’s IT environment
EDGAR is the Securities and Exchange Commission’s (SEC’s) electronic filing system that provides an
individual, company, or agent who registers with the SEC the capability to transmit legally required
submissions. EDGAR is hosted internally by the Office of Information Technology (OIT) and consists of a
complex and highly integrated collection of hardware, software, tools, and databases. The system
automates the receipt, acceptance, internal processing, management, and dissemination of millions of
registration statements, annual/quarterly reports, ownership filings, and other filings from over 28,000
registered entities and millions of individual filers received by the SEC throughout each year. SEC
examiners rely on EDGAR to have a source of timely, comprehensive, and accurate information.
System enhancements to EDGAR are implemented to support the requirements of the SEC’s regular
rulemaking, including requirements that new rules impose on registrants. While EDGAR system
enhancements focus on the functionality of the current system, the EDGAR Redesign (ERD) program is a
multi-year, cross- agency initiative aimed toward delivering a new electronic disclosure solution to replace
the current system.
Page 1 of 9

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)

The EDGAR Business Office (EBO) provides direct executive-level oversight for the ongoing
transformation of specific functions and programs to include business ownership of the EDGAR and the
EDGAR redesign program initiative.
Generally, PII about individuals associated with Regulated Entities is used:
•
To identify individuals acting as Transfer Agents, Broker Dealers, Investment Advisers,
Municipal Advisors, or individuals associated with regulated entities in other capacities, for
the EDGAR registration process;
•
To communicate with Transfer Agents, Broker Dealers, Investment Advisers, Municipal
Advisors, or individuals associated with regulated entities in other capacities, regarding their
filing submissions;
•
By the SEC and other enforcement agencies in any enforcement or disciplinary
proceedings or complaint-related inquiries concerning Transfer Agents, Broker Dealers,
Investment Advisers, Municipal Advisors, or individuals associated with regulated entities
in other capacities; and
•
By the SEC or SEC-regulated institutions that employ Transfer Agents, Broker Dealers,
Investment Advisers, Municipal Advisors, or individuals associated with regulated entities in
other capacities, for taking disciplinary actions or making employment decisions.
The SEC utilizes the EDGAR filing websites, Online Forms Management and Filer Management to receive
forms from registrants electronically. Key subsystems for collections, storage, and dissemination also
include Receipt and Acceptance (R&A), EDGARLink, EDGAR Enterprise Data Repository (EDR),
EDGAR Workstation, and Momentum Financials.
External EDGAR, available on SEC.gov, contains publicly-disseminated submissions. Internal EDGAR, also
known as the EDGAR workstation, is available to authorized Commission staff and contains both public and
non-public information. The system is designed to separate non-public from public information and
disseminate only public information through the EDGAR Dissemination Service, a separate system that
markets data directly to subscribers.
2.2

What specific legal authorities, arrangements, and/or agreements allow the information to be collected?
15 U.S.C. 77a et seq., 78a et seq., 80a-1 et seq., 80b-1 et seq.; and rules and regulations adopted by the
Commission under the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company
Act of 1940, the Investment Advisors Act of 1940 and Section 975(a) of the Dodd-Frank Wall Street Reform
and Consumer Protection Act.

2.3

Does the project use, collect, or maintain Social Security numbers (SSNs)? This includes truncated SSNs.
☒ No
☐ Yes
If yes, provide the purpose of
collection:
If yes, provide the legal authority:

2.4

Do you retrieve data in the system by using a personal identifier?
☐ No
☐ Yes, a SORN is in progress
☒ Yes, there is an existing SORN
SEC-01 Division of Corporation Finance Records, 83 FR 6892 (February 15, 2018)
SEC-02 Division of Investment Management Records, 83 FR 6892 (February 15, 2018)

Page 2 of 9

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)

SEC-03 Division of Trading and Markets Records, 83 FR 6892 (February 15, 2018)
SEC-05 Office of Municipal Advisor Records, 85 FR 85440 (January 27, 2021)
2.5

Is the information covered by the Paperwork Reduction Act of 1995 (PRA)?
☐ No
☒ Yes
Multiple forms uploaded and stored in EDGAR are subject to PRA requirements. The SEC’s current
inventory of all collections of information from the public for which it has received prior approval from
OMB, as required by the Paperwork Reduction Act is located at the following link:
https://www.reginfo.gov/public/do/PRAMain

2.6

Considering the purpose of the collection, what privacy risks were identified and how were those risks
mitigated?
EDGAR was developed to automate the receipt, acceptance, internal processing, management, and
dissemination of millions of registration statements, annual/quarterly reports, ownership filings, and other
filings received by the SEC throughout each year. The main privacy risks are that individuals may not
understand the purpose for collecting the information and information provided for one purpose may be used
inappropriately.
To mitigate this risk, forms will contain the statute to which information collection is authorized. EDGAR
submissions are authorized by various statutes including the Securities Act of 1933, the Securities Exchange
Act of 1934, the Investment Company Act of 1940, the Investment Advisors Act of 1940 and Section 975(a) of
the Dodd-Frank Wall Street Reform and Consumer Protection Act. Moreover, the legal authority is documented
in various SEC system of records notices (SORNs), including SEC-01 Division of Corporation Finance
Records, 83 FR 6892 (February 15, 2018), SEC-02 Division of Investment Management Records, 83 FR 6892
(February 15, 2018), SEC-03 Division of Trading and Markets Records, 83 FR 6892 (February 15, 2018), and
SEC-05 Office of Municipal Advisor Records, 85 FR 85440 (January 27, 2021).

3.1

Section 3: Data Collection, Minimization, and Retention
What information is collected, maintained, used, or disseminated about individuals? Check all that apply.
☐ The system does not collect, maintain, use, or disseminate information about individuals.
Identifying Numbers
☐ Social Security Number
☐ Alien Registration
☐ Financial Accounts
Taxpayer
ID
Driver’s
License
Number
☐
☐
☐ Financial Transactions
☐ Employee ID
☐ Passport Information
☐ Vehicle Identifiers
File/Case
ID
Credit
Card
Number
☐
☐
☐ Employer ID
☐ Other:
General Personal Data
☒ Name
☐ Date of Birth
☐ Marriage Records
Maiden
Name
Place
of
Birth
☐
☐
☒ Financial Information
☐ Alias
☐ Home Address
☐ Medical Information
Gender
Telephone
Number
☐
☐
☐ Military Service
☐ Age
☒ Email Address
☐ Mother’s Maiden Name
☐ Race/Ethnicity
☐ Education Records
☐ Health Plan Numbers
☐ Civil or Criminal History
☒ Zip Code
☐ Other:
Work-Related Data
Page 3 of 9

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)

☐ Occupation
☒ Job Title
☒ Work Address
☐ PIV Card Information
☐ Other:
Distinguishing Features/Biometrics
☐ Fingerprints
☐ Voice Recording
☐ Other:
System Administration/Audit Data
☐ User ID
☒ IP Address
☒ Other: Central Index Key (CIK)
3.2

☒
☒
☒
☒

Telephone Number
Email Address
Certificate/License Number
Fax Number

☐ Salary
☐ Work History
☐ Business Associates

☐ Photographs
☐ Video Recordings

☐ Genetic Information
☐ Voice Signature

☒ Date/Time of Access
☐ Queries Ran

☐ ID Files Accessed
☐ Contents of Files

Why is the PII listed in Question 3.1 collected, used, shared, or maintained by the system or project?
EDGAR serves as the principal financial/entity data repository for the SEC. Filers submit information to the
SEC via registration statements, annual/quarterly reports, ownership filings, and other filings throughout each
year. Several filings require that the registered entity provide personal or business contact information.
Submissions may contain PII in order to allow and provide for follow up on the filing, send email notifications
of file submission, and for other communications regarding filings made.
SEC staff uses the data to: (1) perform analysis and review of disclosure documents submitted to the SEC; (2)
investigate and research submissions; (3) disseminate data, including under the Freedom of Information Act
(FOIA); (4) create reports; and (5) perform workflow management. Externally, EDGAR filing data is
disseminated to the public on the SEC.gov website and provides the public an accurate, complete and fast
method of obtaining all accepted and valid EDGAR filings. EDGAR Data is also transferred to the EDGAR
Public Dissemination Service (PDS). This privatized PDS System is the primary source to receive a dedicated
feed of all public EDGAR filings. Subscribers to the PDS System are required to enter into a paid Subscription
Agreement to access this service.

3.3

Whose information may be collected, used, shared, or maintained by the system?
☐ SEC Employees
Purpose:
☐ SEC Federal Contractors
Purpose:
☐ Interns
Purpose:
☒ Members of the Public
Purpose:
Registered entities submit filings to the SEC
☐ Employee Family Members
Purpose:
☐ Former Employees
Purpose:
☐ Job Applicants
Purpose:
☐ Vendors
Purpose:
Page 4 of 9

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
☐ Other:
Purpose:
3.4

Describe the PII minimizing mechanisms and if the PII from the system is being used for testing,
training, and/or research efforts.
EDGAR supports the capability for some filings to be submitted as a test. Therefore, some of the data it
receives is test data. Test filings do not contain live PII. Also, test filings are deleted upon receipt.

3.5

Has a retention schedule been established by the National Archives and Records Administration
(NARA)?
☐ No.
☒ Yes.
Multiple forms uploaded and stored in EDGAR are subject to General Records Schedules (GRS)
prescribed by the National Archives and Records Administration (NARA). Refer to the applicable SORN
listed in Section 4.1 below for the applicable record retention schedule.

3.6

What are the procedures for identification and disposition at the end of the retention period?
The procedures for identification and disposition of the data at the end of the retention period are commensurate
with the SORN applicable to the filing type as delineated in the SEC Program Records List (for SEC-specific
records), and the General Records Schedule (GRS) prescribed by the National Archives and Records
Administration (NARA).
The SEC Records Schedules and NARA GRS provide mandatory instructions (disposition instructions) to all
NARA staff regarding how to maintain the Commission’s operational records and what to do with them when
they are no longer needed for current business. The disposition instructions state whether individual series of
records are permanent or temporary, as well as how long to retain the records. Records with historical value,
identified as permanent, are transferred to the National Archives of the United States. All other records are
identified as temporary and are eventually destroyed in accordance with the Records Schedule.
Records that are unscheduled, or do not have NARA’s approval, are permanently maintained until the office
determines the value and proposes retention of those records. The proposed retention schedule must be
submitted to NARA to gain its approval prior to the office applying retention.
EDGAR’s system administration records described in the various items under GRS 3.1 will be subject to
deletion. However, EDGAR content will be permanent and is not deleted/destroyed.

3.7

Will the system monitor members of the public, employees, and/or contractors?
☒ N/A
☐ Members of the Public
Purpose:
☐ Employees
Purpose:
☐ Contractors
Purpose:
Page 5 of 9

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
3.8

Considering the type of information collected, what privacy risks were identified and how were those
risks mitigated?
The primary privacy risk is inadvertent disclosure of sensitive PII associated with Identifying Numbers in
Section 3.1 that may be submitted in attachments to filings, e.g., exhibits. This risk is mitigated by
implementing technological controls that permit the automatic redaction of certain number patterns from filing
information prior to posting on the SEC’s public website.

4.1

Section 4: Openness and Transparency
What forms of privacy notice were provided to the individuals prior to collection of data? Check all that
apply.
☒ Privacy Act Statement
Multiple forms uploaded to EDGAR have Privacy Act Statements on the form or instructions to the form.
☒ System of Records Notice
SEC-01 Division of Corporation Finance Records, 83 FR 6892 (February 15, 2018)
SEC-02 Division of Investment Management Records, 83 FR 6892 (February 15, 2018)
SEC-03 Division of Trading and Markets Records, 83 FR 6892 (February 15, 2018)
SEC-05 Office of Municipal Advisor Records, 85 FR 85440 (January 27, 2021)
☒ Privacy Impact Assessment
Date of Last Update: 2/5/2020
☒ Web Privacy Policy
SEC’s Web Site Privacy and Security Policy. The link is http://www.sec.gov/privacy
☐ Other notice:
☐ Notice was not provided.

4.2

Considering the method(s) of notice provided, what privacy risks were identified regarding adequate
notice and how were those risks mitigated?
The primary privacy risk is inadequate notice to individuals. This risk is mitigated through publication of SEC
Rules in the Federal Register which provide the legal authority for requesting the information, the purposes for
which the information will be used and disclosed, and the consequences of their not providing any or all of the
requested information.
Additionally, before a regulated entity can electronically file with the SEC on EDGAR, they must submit the
Form ID which enables filers to obtain a unique Central Index Key (CIK). The Form ID (Part III—Contact
Information) will provide notice to filers that personal information, including email address, will be stored on
EDGAR. Ultimately, the publication of this PIA and the SORNs SEC-01, SEC-02, SEC-03, and SEC-05
provide the public with notice of the collection, use and maintenance of this information.

5.1

Section 5: Limits on Uses and Sharing of Information
What methods are used to analyze the data?
EDGAR is a dissemination system and does not analyze data for the purposes of deriving new data or creating
previously unavailable data about an individual through aggregation from the information submitted in the
system. The data is collected only for purposes of managing and processing filings and related documents.

5.2

Will internal organizations have access to the data?
Page 6 of 9

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
☐ No
☒ Yes
Organizations:

5.3

EDGAR is an enterprise system and all SEC divisions and offices may use EDGAR data,
but the Division of Investment Management (IM), Division of Corporation Finance (CF),
Division of Trading and Markets (TM), Division of Economic and Risk Analysis
(DERA), Division of Enforcement (ENF) and Division of Examinations (EXAMS) are
the primary users.

Describe the risk to privacy from internal sharing and describe how the risks are mitigated.
EDGAR workstation is available to authorized SEC staff and contains both public and non-public information.
The primary privacy risk is inadvertent or inappropriate sharing of non-public data with unauthorized
individuals. This risk is mitigated through role-based access. Also, certain submission types are not accessible
from SEC Workstations, unless suspended or blocked. In those instances, authorized staff are available to assist
in ensuring submission of the filing.

5.4

Will external organizations have access to the data?
☐ No
☒ Yes
Organizations: Data that should be made publicly available is disseminated to the public and to
subscribers via the SEC website and the PDS. Additionally, some data is shared with
Financial Industry Regulatory Authority (FINRA) and to other external entities that are
consistent with the routine uses stated in the various SEC SORNs for EDGAR data. Each
subscriber determines their own internal procedures for securing the data.

5.5

Describe the risk to privacy from external sharing and describe how the risks are mitigated.
The primary privacy risk associated with external sharing is the risk of disclosure to unauthorized recipients
during the transmission of information to external entities. The data is transmitted electronically to the SEC's
public site through the SEC's network, and to public disseminators and FINRA through the Internet and secured
network connections. Data may also be transmitted via a secured encrypted manner, including encrypted email
and encrypted File Transfer Protocol. Also, all external communications from EDGAR utilize SEC OIT
infrastructure elements, site-to-site virtual private network (VPN) and encryption technologies.

6.1

6.2

Section 6: Data Quality and Integrity
Is the information collected directly from the individual or from another source?
☒ Directly from the individual.
☒ Other source(s): Registered entities may submit information on officers, board members, or customers
through EDGAR
What methods will be used to collect the data?
Filers submit information to the SEC via registration statements, annual/quarterly reports, ownership filings, and
other filings throughout each year. EDGAR consists of multiple subsystems by which data is collected, used,
maintained or disseminated.

6.3

How will the data collected from individuals, or derived by the system, be checked for accuracy and
completeness?
Page 7 of 9

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
EDGAR Application has validations to ensure that the data collected from individuals meets certain
requirements. It is the responsibility of the Filer to provide accurate information. EDGAR supports the
capability for some filings to be submitted as a test to make sure the submission is correct by checking all of the
assembled documents and applying host processing steps like determining the fee and checking your security
codes. For a test submission, fees will not be deducted, the filing will not be disseminated, and the filing will
not be considered filed with the SEC.
6.4

Does the project or system process, or access, PII in any other SEC system?
☒ No
☐ Yes.
System(s):

6.5

Consider the sources of the data and methods of collection and discuss the privacy risk for this system
related to data quality and integrity? How are these risks mitigated?
The primary privacy risk involves incomplete or inaccurate information that can lead to incorrectly informed
decisions by regulators, financial loss to the investing public, and reputational loss to the regulated entity. This
risk is mitigated by collecting data directly from filers to the extent possible. EDGAR has validations to ensure
that data meets the specifications as required for each form.

7.1

Section 7: Individual Participation
What opportunities are available for individuals to consent to uses, decline to provide information, or opt
out of the project? If no opportunities are available to consent, decline or opt out, please explain.
Information is obtained from individuals pursuant to the requirements of federal securities laws. To fulfill those
requirements, filers must submit certain data on individuals. Individuals submitting filings in the EDGAR
System are responsible for submitting accurate information. The system allows electronic filers to transmit their
submissions in test mode before they commit to a live version to provide iterative error analysis and feedback.
Because the individual, or their designated third party, submits the information about him or herself directly, the
likelihood of erroneous PII is greatly reduced. EDGAR has internal application business rules and syntactic
processing in place to verify all transmissions into EDGAR.

7.2

What procedures are in place to allow individuals to access their information?
Individuals wishing to obtain information on the procedures for gaining access to their information may contact
the FOIA/PA Officer, Securities and Exchange Commission, 100 F Street, NE, Mail Stop 5100, Washington,
DC 20549-2736 or email request to [email protected]

7.3

Can individuals amend information about themselves in the system? If so, how?
Individuals wishing to amend their information in records may contact the FOIA/PA Officer, Securities and
Exchange Commission, 100 F Street, NE, Mail Stop 5100, Washington, DC 20549-2736 or email request to
[email protected] .

7.4

Discuss the privacy risks related to individual participation and redress? How were these risks mitigated?
The primary risk is outdated or inaccurate information. This risk is mitigated by capability for Filers to
subsequently amend filings to correct any erroneous information submitted in the prior filing. In addition, SEC
procedures for amendment or correction of records is published in the applicable SORNs.
Page 8 of 9

Privacy Impact Assessment

Electronic Data Gathering, Analysis, and Retrieval (EDGAR)

8.1

8.2

8.3

Section 8: Security
Can the system be accessed outside of a connected SEC network?
☐ No
☒ Yes
If yes, is secured authentication required?
☐ No
☒
Is the session encrypted?
☐ No
☒
Does the site have a posted privacy notice?
☐ No
☐ Yes
☒ N/A

☐ Not Applicable
☐ Not Applicable

Does the project or system use web measurement and/or customization technologies?
☒ No
☐ Yes, but they do not collect PII
☐

9.1

Yes
Yes

Yes, and they collect PII

Section 9: Accountability and Auditing
Describe what privacy training is provided to users, either general or specific to the system or project.
All SEC staff and contractors receive initial and annual privacy awareness training, which outlines roles and
responsibilities for proper handling and protection of PII. SEC Rules of the Road ensure that employees and
contractors are aware of their security responsibilities and how to fulfill them.

9.2

Does the system generate reports that contain information on individuals?
☐ No
☒

Yes
Submissions may contain PII in order to allow and provide for follow up on the filing, send email
notifications of file submission, and for other communications regarding filings made.

9.3

Do contracts for the system include Federal Acquisition Regulation (FAR) and other applicable clauses
ensuring adherence to the privacy provisions and practices?
☐ No
☒ Yes
☐ This is not a contractor operated system

9.4

Does the system employ audit logging or event logging?
☐ No
☒ Yes

9.5

Given the sensitivity of the PII in the system, manner of use, and established safeguards, describe the
expected residual risk related to access.
EDGAR is used to process a vast amount of company information provided by filers. The SEC has implemented
substantial safeguards, including access controls, encryption of non-public data, and firewalls, to protect this
information, but there is always a minimal risk of sharing or disclosure to unauthorized individuals.

Page 9 of 9


File Typeapplication/pdf
File TitleElectronic Data Gathering Analysis and Retrieval (EDGAR)
File Modified2023-08-23
File Created2023-03-23

© 2024 OMB.report | Privacy Policy