Download:
pdf |
pdfPrivacy Impact Assessment
for the
Enterprise Coordination and Approval
Processing System (eCAPS)
DHS/FEMA/PIA-023
May 21, 2012
Contact Point
Arnie Gonzalez
Mission Assignment Branch
Response Directorate
202-646-4313
Reviewing Official
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
(703) 235-0780
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 1
Abstract
The U.S. Department of Homeland Security (DHS) Federal Emergency Management
Agency (FEMA), Office of Response and Recovery (OR&R) operates the Enterprise
Coordination and Approvals Processing System (eCAPS) application.
Following a
Presidentially-declared disaster, OR&R utilizes eCAPS, a FEMA intranet-based application, to
collect, use, maintain, and disseminate personally identifiable information (PII) from federal and
state points of contact (POCs) who request disaster support from FEMA. eCAPS tracks action
requests, electronic coordination and approval of internal requisitions for services and supplies,
and mission assignments. This Privacy Impact Assessment (PIA) is being conducted because
eCAPS collects, uses, maintains, and disseminates PII from federal and state POCs.
Overview
FEMA OR&R operates the eCAPS application. The eCAPS system provides support to
initiate, track, and expedite the process of providing direct aid and technical assistance to other
federal agencies and states in response to a Presidentially-declared disaster. In order to meet
FEMA’s response obligations under the Robert T. Stafford Disaster Relief and Emergency
Assistance Act (Stafford Act) and the Homeland Security Act of 2002 (Homeland Security Act),
FEMA utilizes eCAPS to collect, use, maintain, and disseminate information from federal and
state POCs who request disaster assistance. eCAPS facilitates the matching of these requests
from government entities with FEMA’s existing response capabilities and the response
capabilities of the other federal agencies (OFAs) to which FEMA may delegate a mission
assignment (MA).
Once the President of the United States makes a pre-incident emergency declaration or
post-disaster declaration under the Stafford Act and the Homeland Security Act, federal entities,
and most often, state governments, submit requests to FEMA for direct federal support and/or
technical assistance. Whether in anticipation of a major catastrophic event or following a major
disaster, the governor of a state declares a state of emergency, and the state follows with a
request for federal assistance. State POCs may initiate these requests in several different ways,
including by phone and paper form. When FEMA receives an “Action Request Form” (ARF, or
FEMA Form (FF) 010-0-7), filled out and signed by the State Approving Official (SAO), the
approval process begins. For example, the State Coordinating Officer (SCO) or other POC
completes an ARF, obtains the signature of the SAO, and transmits FF 010-0-7, by hand or
electronically, to the FEMA Action Tracker or Mission Assignment Manager (MAM), who
delivers the completed ARF to the FEMA Operations Section Chief (OSC) for approval. If there
are any discrepancies with the information on the ARF, the form is returned to the POC by hand
or is verified through an informal phone call by the Action Tracker or MAM. Alternatively, the
governor, emergency manager, or other state POC may contact a FEMA official to request
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 2
support, and the MAM follows up by conducting a phone interview with the state POC. During
the call, the MAM provides the requisite privacy notice and collects the required information
such as name, contact information, and a description of the requested assistance, and then
forwards the information to a FEMA Action Tracker. In both instances, the OSC verifies and
validates the request and considers whether or not it: 1) is eligible for federal funding; 2) can be
supported by the state; 3) constitutes restorative or temporary work; and/or 4) is within the
statutory authority of another federal agency. If any questions should arise, the OSC contacts the
state POC for additional information.
If one or more other federal agencies are needed to provide or supplement FEMA
support, the OSC coordinates with the specified Emergency Support Function (ESF)/Other
Federal Agency (OFA) POC(s) to ascertain the abilities of the agency(ies) to meet the request. If
the other federal agency(ies) have the capabilities, the OSC assigns a project manager to the
Mission Assignment (MA), and the ESF/OFA designates an action officer. Then the FEMA
Project Manager and OFA Action Officer jointly develop a Statement of Work (SOW). If the
OSC approves the action request and SOW, the OSC hand-delivers the approved, signed FF 0100-7 (ARF) to the MAM, who in turn opens the Intranet-based eCAPS system. The Intranet is
behind the FEMA firewall, so eCAPS is not accessible to those outside of FEMA. After opening
eCAPS, the MAM is given the choice to create either a new FEMA Form 010-0-8 “Mission
Assignment Form” or a new FEMA Form 146-0-2 “Requisition and Commitment for Service
and Supplies,” (formerly FEMA Form 40-1).
If the MAM initiates an MA, he or she manually enters the information directly from FF
010-0-7 (ARF) into the appropriate fields of FF 010-0-8 (MA) within eCAPS. In addition, if the
OSC determines that additional funds are required for FEMA to fulfill the action request, and/or
if a contract is necessary to fulfill a portion of the request, then either an National Response
Coordination Center (NRCC) Ordering Specialist or a Project Officer affiliated with the
requested resource uses the same eCAPS login process as the MAM but instead selects the
option to create a new FF 146-0-2 (procurement request). This form documents the resource
requirements, timelines, coordination, and approvals that are associated with a particular vendor.
At this point, the NRCC Ordering Specialist or Project Officer manually enters the requested
information from the completed, approved FF 010-0-7 (ARF) into FF 146-0-2 within eCAPS.
Once the information is entered into eCAPS, the request is routed for electronic approval
by the FEMA MAM, project manager, and Federal Approving Official (FAO). Subsequently,
the FEMA comptroller reviews the MA in eCAPS and obligates the funds via a system external
to eCAPS. Finally, the FEMA Action Tracker or MAM monitors the status of the MA in eCAPS
and delivers copies of FF 010-0-8 (MA) signed by the comptroller to the ESF/OFA Action
Officer, the FEMA Project Manager, and FEMA Acquisitions for filing and billing
accountability. The information in eCAPS is maintained for one year after the final audit and
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 3
after applicant appeals are resolved, and is then retired to the Federal Records Center (FRC) for
six years and three months.
ECAPS information may, on occasion, be shared with other federal agencies that have a
role in providing support to meet the requirements of the state’s action request. In addition, in
rare circumstances, FEMA may share Action Request status information with SCOs through
eCAPS at Joint Field Offices (JFOs). In these cases, the information in eCAPS is retrieved by a
disaster ID number or state name but is not retrieved or retrievable by the PII of any member of
the public (state official or OFA employee).
The primary privacy risks relative to eCAPS are the risk of inaccurate information being
entered into eCAPS, because of the manual data entry that occurs during the processing of all
three forms, and the risk that the information may be retained for a longer period than necessary.
To mitigate these privacy risks and enhance privacy protections overall, FEMA employs a
variety of measures, including allowing state POCs to correct inaccurate information by
telephone or email, and using training courses and standard operating procedures to document
eCAPS protocols and establish guidelines for how FEMA employees use eCAPS.
Section 1.0 Authorities and Other Requirements
1.1
What specific legal authorities and/or agreements permit and
define the collection of information by the project in question?
FEMA is delegated with assisting and supplementing federal, state, and local efforts and
capabilities in times of emergencies and disasters. FEMA responds to requests for emergency
and/or disaster declarations from states that have been or may be affected by a natural
catastrophe, or regardless of cause, any fire, flood, or explosion in any part of the United States.
In order to carry out its mission and responsibilities, FEMA needs information from states in
order to expediently process and analyze the request and to properly notify the State making of
its decision as to whether to declare an emergency and/or disaster. Below are the various
authorities that give FEMA this power:
•
Robert T. Stafford Disaster Relief and Emergency Assistance Act, Pub. L. No. 93-288 (as
amended at 42 U.S.C. § 5121-5122, § 5170-5173, § 5191-5192);
•
Homeland Security Act of 2002, Pub. L. No. 107-296 (codified as amended at 6 U.S.C. §
317);
•
Emergency Management and Assistance, 44 C.F.R. § 206.31-206.66 (2009);
•
Executive Order 12127;
•
Executive Order 12148;
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 4
•
Executive Order 12656;
•
Office of Management and Budget Information Collection Request (OMB ICR) No.
1660-0047;
•
Homeland Security Presidential Directive (HSPD) 5, Domestic Incident Management
(February 28, 2003);
•
FEMA Interim CFO Directive 2600-008 Managing Open Obligations (22 June 2009);
and
•
FEMA Interim Directive 2600-016 Disaster Relief Fund (DRF) - Pre-Disaster
Declaration (Surge) Funding (29 September 2009).
1.2
What Privacy Act System of Records Notice(s) (SORN(s)) apply
to the information?
The information in eCAPS is retrieved by a specific disaster number or state name. The
information in eCAPS is neither retrieved nor retrievable by any PII, and therefore the
information is not part of a system of records.
1.3
Has a system security plan been completed for the information
system(s) supporting the project?
An Information System Security Officer (ISSO) has been assigned and is currently
recertifying and reaccrediting the system. The ISSO expects eCAPS will receive its authority to
operate (ATO) by May 2012.
1.4
Does a records retention schedule approved by the National
Archives and Records Administration (NARA) exist?
FEMA retains the information in eCAPS pursuant to NARA Authority N1-311-89-5,
Item 1. Under this rule, the records are collected and retained for one year after the final audit
and after applicant appeals are resolved, and then are retired to the FRC for six years and three
months.
1.5 If the information is covered by the Paperwork Reduction Act
(PRA), provide the OMB Control number and the agency number for
the collection. If there are multiple forms, include a list in an appendix.
Information collected under eCAPS is covered under the PRA. OMB ICR No. 16600047 (expires March 31, 2014) includes FEMA Form (FF) 010-0-7 “Action Request Form,” and
FEMA Form (FF) 010-0-8 “Mission Assignment.”
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 5
Section 2.0 Characterization of the Information
2.1
Identify the information the project collects, uses, disseminates, or
maintains.
From State/Local/Tribal Agency or Other Federal Agency POCs:
Name of Initiator/Requestor
Title of Requestor
24 Hour Phone Number of Requestor
Email Address of Requestor
Site POC Name
24 Hour Phone of Site POC
Email Address of Site POC
Name of ESF/OFA Action Officer (AO)
24 Hour Phone Number of ESF/OFA AO
Email Address of ESF/OFA AO
Fax Number of ESF/OFA AO
State Approving Official (SAO) Signature
Recipient Name & Organization
Requestor’s Organization
Requestor’s Fax Number
Date of Request
Assistance Requested
Quantity of Assistance
Priority
Date and Time Needed
Delivery Site Location
Date Site POC was Designated
Fax Number of Site POC
Date and Time Signed by SAO
State of Recipient
Date/Time Received
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-8)
(FF 010-0-7)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7)
(FF 010-0-7)
(FF 010-0-7)
(FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-8)
(FF 010-0-7)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
From FEMA Employees or Contractors:
Name of OPS Reviewer
Name of LOG Reviewer
Names of Other Coordinators
Name of ESF/OFA Action Officer (AO)
24 Hour Phone Number of ESF/OFA AO
Email Address of ESF/OFA AO
Names of FEMA Project Manager (PM)
24 Hour Phone Number of FEMA PM
(FF 010-0-7)
(FF 010-0-7)
(FF 010-0-7)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-7/FF 010-0-8)
(FF 010-0-8)
(FF 010-0-7)
(FF 010-0-7)
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 6
Signature of FEMA PM/Branch Director
(FF 010-0-8)
Name of MA Manager (Preparer)
(FF 010-0-8)
Name of Agency(ies) Assigned
(FF 010-0-8)
Signature of Comptroller/Funds Control POC (FF 010-0-8)
Signature of Federal Approving Official
(FF 010-0-8)
Recipient’s Name, Office Symbol, Bldg., Room# (FF 146-0-2)
Suggested Sources (Name, Address, Contact, Telephone #) (FF 146-0-2)
Signature of COTR
(FF 146-0-2)
Signature of Intermediate Approval
(FF 146-0-2)
Signature of Program Head
(FF 146-0-2)
Signature of Other Coordination
(FF 146-0-2)
Personal Property/Mgmt Services Section Signature (supplies/equipment) (FF 146-0-2)
Personal Property/Management Services Section POC (FF 146-0-2)
Signature of Certifying Officer
(FF 146-0-2)
Assignment: Name of Contracting/Assistance Officer (FF 146-0-2)
Phone Number of Contracting/Assistance Officer (FF 146-0-2)
Name of Contract Specialist
(FF 146-0-2)
Phone Number of Contract Specialist
(FF 146-0-2)
Fax Number of FEMA PM
(FF 010-0-7)
Fax Number of ESF/OFA AO
(FF 010-0-7)
Sources Used to Meet the Request
(FF 010-0-7)
Statement of Work
(FF 010-0-7/FF 010-0-8)
Actions Taken
(FF 010-0-7)
Initial Federal Coordination
(FF 010-0-8)
Reasons for Actions Taken
(FF 010-0-7)
Date/Time of Actions
(FF 010-0-8)
Requestors were Notified of Actions Taken?
(FF 010-0-7)
Types of Mission Assignments (MAs)
(FF 010-0-8)
MA Date
(FF 010-0-8)
MA Number
(FF 010-0-8)
Assigned to ESF/OFA or Other?
(FF 010-0-7)
New MA or Amendment to MA?
(FF 010-0-8)
Amendment Number
(FF 010-0-8)
Estimated Start Date
(FF 010-0-8)
Estimated Completion Date
(FF 010-0-7/FF 010-0-8)
Estimated Cost
(FF 010-0-7/FF 010-0-8)
State Cost Share Percentage
(FF 010-0-8)
State Cost Share Amount
(FF 010-0-8)
Fund Citation
(FF 010-0-8)
Amount This Action
(FF 010-0-8)
Cumulative Amount (amendment)
(FF 010-0-8)
Initials (for Cumulative Amount)
(FF 010-0-8)
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 7
2.2
Date/Time Obligated
(FF 010-0-8)
eCAPS/NEMIS Task ID
(FF 010-0-7)
State NEMIS ID
(FF 010-0-8)
Action Request Number
(FF 010-0-7)
Internal Control Number
(FF 010-0-8)
Program Code/Event Number
(FF 010-0-7/FF 010-0-8)
Requisitioning Program Office (Symbol/Bldg/Room #) (FF 146-0-2)
Contracting Officers’ Technical Representative (COTR) (FF 146-0-2)
Date of Request
(FF 146-0-2)
Estimated Period of Performance
(FF 146-0-2)
Total Estimated Cost
(FF 146-0-2)
Project Title/Description of Supplies, Equipment and/or Services (FF 146-0-2)
List of Attachments
(FF 146-0-2)
Justification/Comments
(FF 146-0-2)
Available and Reserved Amount
(FF 146-0-2)
Date Procurement Request (PR) Received
(FF 146-0-2)
Date PR Received
(FF 146-0-2)
Attachments to forms
(FF 010-0-7/FF 010-0-8/FF 146-0-2)
What are the sources of the information and how is the
information collected for the project?
The sources of the information in eCAPS are FEMA employees and contractors, State
Coordinating Officers, and federal employees of agencies outside of DHS requesting assistance.
The information may be collected via paper form, verbally via telephone or in person, or
electronically via direct entry into eCAPS.
2.3 Does the project use information from commercial sources or
publicly available data? If so, explain why and how this information is used.
eCAPS does not use information from commercial sources or publicly available data.
2.4
Discuss how accuracy of the data is ensured.
FEMA collects information directly from the state POC, either from the ARF or via a
phone interview. Once FEMA staff either receive the completed ARF or record the data in an
ARF, they verify it with the state POC via email, phone or in person before approving it for
processing. The data is read off of the ARFs and then manually entered into eCAPS by FEMA
staff.
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 8
2.5
Privacy Impact Analysis: Related to Characterization of the
Information
Privacy Risk: A privacy risk associated with the system is that eCAPS may collect
erroneous or inaccurate information.
Mitigation: To mitigate this risk, FEMA collects the information in eCAPS directly
from the federal and state points of contact (POCs) requesting FEMA assistance. In the cases
where FEMA personnel manually enter data into the Action Request Form on behalf of the
POCs, FEMA mitigates this risk by verifying the data with the POCs before it is entered into
eCAPS. In addition, FEMA provides annual training, online training and policy to educate
eCAPS users regarding the importance of and ways to ensure accuracy of the data.
Section 3.0 Uses of the Information
3.1
Describe how and why the project uses the information.
FEMA collects the information in eCAPS through paper forms, FEMA intranet interface,
telephone conversations, and via email. The information is used to initiate, track, and expedite
the process of providing aid to other federal agencies, states and communities in response to a
pre-incident emergency declaration or post-disaster declaration under the Stafford Act. The
information assists FEMA in matching and assigning the requests for assistance it receives from
federal or state government entities with FEMA’s existing response capability and the
capabilities of other federal agencies, which facilitates the response element of FEMA’s mission
under the Stafford Act.
More specifically, the eCAPS application collects names, titles, signatures, email
addresses, and phone numbers of state POCs requesting federal assistance and other individuals
involved in the process of responding to an Action Request to establish accountability for
assistance requests and mission assignments, and to enhance communication among
stakeholders. FEMA also uses email and telephone conversations as tools for accomplishing the
redress and correction of erroneous information in eCAPS.
3.2
Does the project use technology to conduct electronic searches,
queries, or analyses in an electronic database to discover or locate
a predictive pattern or an anomaly? If so, state how DHS plans to
use such results.
eCAPS does not conduct electronic searches, queries, or analyses in an electronic
database to discover or located a predictive pattern or an anomaly.
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 9
3.3
Are there other components with assigned roles and
responsibilities within the system?
No other DHS components have an assigned role or responsibility in eCAPS.
3.4
Privacy Impact Analysis: Related to the Uses of Information
Privacy Risk: A privacy risk associated with eCAPS includes FEMA using information
for purposes other than that for which it was collected.
Mitigation: FEMA limits the collection of information to that which is relevant to
facilitate the review of action requests and establish the accountability and communication
necessary to fulfill those requests through mission assignments. Access to eCAPS is limited via
the FEMA intranet to only those with a “need to know” the information in the course of their
official duties. FEMA also limits the sharing of the information within eCAPS to the rare
instances when state or federal points of contact may access eCAPS while present in a Joint Field
Office (JFO).
Section 4.0 Notice
4.1
How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain why
not.
FEMA leverages several media to ensure that ample notice of its information collection
for eCAPS has been provided to the respective federal and state POCs whose information is
collected and maintained therein. First, the respective forms, noted above in section 1.5, have
Privacy Notices (attached at Appendix A) prominently displayed. Secondly, FEMA staff, most
often a Mission Assignment Manager, provide a verbal privacy notice (attached at Appendix B)
when conducting a phone interview to assist the state or federal POC in completing the Action
Request Form (FF 010-0-7). Lastly, this PIA also provides notice of the collection of
information for eCAPS.
4.2
What opportunities are available for individuals to consent to
uses, decline to provide information, or opt out of the project?
First, there is only one use of the information in eCAPS, as described in section 3.1
above. Secondly, FEMA voluntarily collects the information requested in its “Action Request
Form (ARF)” (FF 010-0-7) and “Mission Assignment Form” (FF 010-0-8). Federal and state
POCs who are requesting FEMA assistance, but who may not be able to fill out the ARF may
also provide this information directly to a FEMA Mission Assignment Manager, who will then
complete the ARF on behalf of the POC. Federal and state POCs can opt out and choose not to
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 10
submit the requested information, but to do so means that FEMA will not be able to provide
assistance.
4.3
Privacy Impact Analysis: Related to Notice
Privacy Risk: A privacy risk associated with this system is that the individual federal
and state POCs will not receive notice at the time their information is collected.
Mitigation: This privacy risk is mitigated because FEMA provides a Privacy Notice
(attached at Appendix A) to federal and state POCs either on the form itself, or verbally
(attached at Appendix B) if a FEMA MAM is assisting the POC.
Section 5.0 Data Retention by the project
5.1
Explain how long and for what reason the information is retained.
Pursuant to NARA Authority N1-311-89-5, Item 1, FEMA collects and stores the
information in eCAPS for one year after the final audit for a specific disaster and after applicant
appeals are resolved; the information is then retired to the FRC for six years and three months.
5.2
Privacy Impact Analysis: Related to Retention
Privacy Risk: A privacy risk associated with this system is that eCAPS will retain
information longer than necessary.
Mitigation: This privacy risk is mitigated because FEMA minimizes the time it keeps
the data, in line with the mission of eCAPS and with an allowance for appeals. In addition,
FEMA leverages eCAPS training and documentation, such as standard operating procedures, to
inform FEMA users of proper record retention standards.
Section 6.0 Information Sharing
6.1 Is information shared outside of DHS as part of the normal
agency operations? If so, identify the organization(s) and how the
information is accessed and how it is to be used.
Yes, however, FEMA limits the information in eCAPS that is shared outside of DHS as
part of the normal process of documenting federal and state action requests and matching them to
corresponding mission assignments. FEMA shares the information in its MA forms with the
state POCs who are responsible for approving the forms and possibly other federal agency
(OFA) POCs outside of DHS, if such agencies will be tasked to supply resources pursuant to the
request. In addition, federal and state POCs may obtain access to eCAPS while they are present
at a FEMA JFO. In this rare circumstance, federal and state POCs only have access to the status
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 11
of their respective action request (the ARF) via eCAPS. State POCs may only view information
in eCAPS about those disasters relevant to their states and, otherwise, may not search eCAPS.
6.2
Describe how the external sharing noted in 6.1 is compatible with
the SORN noted in 1.2.
While the information in eCAPS is not part of a system of records, it is only shared
externally to achieve the purposes of the action request and mission assignment functions, which
are an integral part of FEMA’s disaster response mission. The federal and state POCs, who may
access the status of their action request in eCAPS while present at a FEMA JFO, may only
retrieve this information by the name of their state and/or the FEMA disaster number. The data
in eCAPS is neither retrieved nor retrievable by any PII.
6.3
Does the project place limitations on re-dissemination?
Yes. In very limited situations, state or OFA POCs may have read-only access to eCAPS
while at a JFO, allowing them to view only the status of their respective action requests.
6.4
Describe how the project maintains a record of any disclosures
outside of the Department.
Though not a part of a system of records under the Privacy Act, requests for information
within eCAPS may be made to the FEMA Disclosure Office which maintains the accounting of
what records are disclosed and to whom.
6.5
Privacy Impact Analysis: Related to Information Sharing
Privacy Risk: A privacy risk associated with this system is that the information in
eCAPS could be erroneously disclosed.
Mitigation: This privacy risk is mitigated because FEMA strictly limits the sharing of
information in eCAPS to only those individuals who are involved in the process of requesting
FEMA assistance or assigning a response to such a request. Furthermore, within the scope of
information sharing that eCAPS allows, the sharing is further restricted, requiring a “need to
know” for the specific data. For example, as noted above in section 6.2, federal and state POCs
are only allowed to access the status of their respective action requests in eCAPS, and only if
they have access to eCAPS while present at a FEMA JFO, and even under these limited
circumstances, the status information includes only a notation of whether the action request was
granted, denied, or is pending.
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 12
Section 7.0 Redress
7.1
What are the procedures that allow individuals to access their
information?
Generally, the federal and state POCs who require access to their information in eCAPS
may submit a Freedom of Information Act (FOIA) request to the FEMA Disclosure Branch. The
Privacy Act does not apply to the information within eCAPS as it is neither retrieved nor
retrievable by a unique identifier, and thus is not part of a system of records.
More specifically, FEMA allows federal and state POCs to access to their information via
telephone and email.
7.2 What procedures are in place to allow the subject individual to
correct inaccurate or erroneous information?
To correct inaccurate or erroneous information in eCAPS, federal and state POCs may
contact directly the FEMA Mission Assignment Manager (MAM) assigned to their respective
request. MAMs are available to federal and state POCs via telephone, email, and perhaps even
in person, if the POC and the MAM are both present at a FEMA JFO.
7.3
How does the project notify individuals about the procedures for
correcting their information?
The process of documenting federal and state action requests and providing mission
assignments in response is very personal and “hands on,” which affords FEMA the opportunity
to provide eCAPS redress, and notice of redress, directly to the federal and state POCs involved
in the process. This notice may be provided during the initial interview with the FEMA MAM
who is assisting the POC with the ARF, and then again, notice may be provided by FEMA
Action Officers who may subsequently tell the POCs to contact their MAMs to correct any
erroneous information. The MAMs, in turn, may provide the POCs with the process for
correcting information either verbally via telephone or in person, or via email.
7.4
Privacy Impact Analysis: Related to Redress
Privacy Risk: A privacy risk associated with this system is that the federal and state
POCs whose information is in eCAPS will be unable to obtain redress.
Mitigation: This risk is mitigated because FEMA provides notice of its redress process
to federal and state POCs through different media. First, as noted above in section 7.3, there
FEMA has multiple opportunities to provide notice of redress to the POCs, first through the
initial process of MAMs assisting the POCs with their respective ARFs, and secondly, FEMA
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 13
Action Officers may subsequently advise the POCs to contact their respective MAMs for redress
issues. Additionally, this PIA also provides notice of FEMA’s redress process for eCAPS. The
high level of coordination between FEMA and the POCs affords an opportunity to achieve
redress. FEMA MAMs verbally verify information prior to entering it into eCAPS, then during
the approval process for an ARF, the FEMA OSC collaborates with the SCO, giving visibility
into the data as it exists in the ARF. Importantly, the SCO may also request a copy of the
obligated (approved) MA as it appears in eCAPS. Any errors that might have been made would
be revealed and can be fixed in real-time by FEMA’s MAM going into eCAPS and correcting
the data.
Section 8.0 Auditing and Accountability
8.1
How does the project ensure that the information is used in
accordance with stated practices in this PIA?
FEMA ensures that the practices stated in this PIA are followed by leveraging standard
operating procedures, which are updated annually; an annual training conference for eCAPS
users including FEMA staff and federal and state POCs; year-around online training on assisting
with the disaster declarations process, which includes how to complete ARFs; and FEMA Chief
Financial Officer (CFO) audits, which are conducted annually, if not more frequently. In
addition, relevant meetings, record retention schedules, and security measures promote
adherence to the practices stated in this PIA.
8.2
Describe what privacy training is provided to users either
generally or specifically relevant to the project.
All FEMA eCAPS users are required to successfully meet annual privacy awareness and
information security training requirements according the FEMA training guidelines. In addition,
the FEMA Action Tracker staff, who manually enter ARF data into eCAPS, receive programspecific eCAPS training.
8.3
What procedures are in place to determine which users may
access the information and how does the project determine who
has access?
FEMA limits federal and state POC access to eCAPS to only those individual POCs who
are present at a FEMA JFO and wish to access the status of their own action requests for the
specific event for which the POC is present at the JFO. The OSC approves state and JFO
requests for access to eCAPS. Such users must provide justification for access. Additionally,
the check-in form for laptops and other IT equipment at JFOs require a “need to know” for
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 14
access to specified IT systems and data. Supervisors must approve eCAPS access requests for
local FEMA employees.
8.4
How does the project review and approve information sharing
agreements, MOUs, new uses of the information, new access to the
system by organizations within DHS and outside?
Currently, eCAPS does not require information sharing agreements or MOUs; however,
the project has a process to review such agreements as necessary. This process involves program
stakeholders, ISSOs, the Office of Chief Counsel, and the FEMA Privacy Office. Similarly,
eCAPS will leverage its stakeholders in the process of reviewing and approving any new uses for
the project. If eCAPS contemplates new uses for the system or its information, FEMA will
update the required privacy compliance documentation.
Responsible Officials
Eric M. Leckey
Privacy Officer
Federal Emergency Management Agency
U.S. Department of Homeland Security
Approval Signature
Original signed copy on file with the DHS Privacy Office
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 15
APPENDIX A: PRIVACY NOTICE FOR FF 010-0-7 AND FF 10-0-8
FEMA is authorized to collect this information under the Stafford Act, Post-Katrina Emergency
Management Reform Act (PKEMRA) of 2006, and other authorities. FEMA is collecting this
information to define what disaster assistance it will provide in response to a state or federal
agency’s request for FEMA assistance following a Presidentially-declared disaster. FEMA will
use the information to define the work to be performed, document the start and end dates of the
assignment, provide a cost estimate for the work, and to obligate the funds that are requested
from another federal agency to fulfill a mission task. Furnishing this information is voluntary;
however, failure to furnish the requested information may delay or prevent DHS/FEMA or other
federal agencies from providing the requested support.
�Privacy Impact Assessment
Enterprise Coordination and Approval Processing System
Federal Emergency Management Agency
Page 16
APPENDIX B: PRIVACY NOTICE PROVIDED VIA PHONE
“We are required by law to provide the following Privacy Notice to you. The information that
you give the Department of Homeland Security, Federal Emergency Management Agency, is
collected under the Post-Katrina Emergency Management Reform Act (PKEMRA) of 2006 and
other authorities. It will be used to determine the disaster assistance that is needed from
DHS/FEMA and other federal agencies. The information will also be used to define the work to
be performed, the timeframe, and estimated costs of fulfilling the request. DHS/FEMA may
share this information outside the agency upon written request, by agreement, or as required by
law. Furnishing the requested information is voluntary, but failure to do so may delay or prevent
DHS/FEMA and other agencies from providing the needed support.”
�
| File Type | application/pdf |
| File Title | Privacy Impact Assessment for the The U.S. Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA), Off |
| Author | Department Of Homeland Security Privacy Office |
| File Modified | 2012-05-22 |
| File Created | 2012-05-21 |