Pia

U.S. Securities and Exchange Commission

SRO Rule Tracking System (SRTS)/Electronic Form Filing
System (EFFS)
PRIVACY IMPACT ASSESSMENT (PIA)

April 8, 2022

Division of Trading and Markets

Privacy Impact Assessment

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)
1.1

Name of Project or System

Section 1: System Overview

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)
1.2

Is the system internally or externally hosted?
☒

Internally Hosted (SEC)

☐

Externally Hosted
(Contractor or other
agency/organization)

Office of Information Technology (OIT)

1.3

Reason for completing PIA
☐ New project or system
☒ This is an existing system undergoing an update
First developed:
2004
Last updated:
11/18/2020
Description of update: SRTS version 8.0 release includes changing authentication from Sybase to
Active Directory.

1.4

Does the system or program employ any of the following technologies?
☐ Electronic Data Warehouse (EDW)
☐ Social Media
☐ Mobile Application (or GPS)
☐ Cloud Computing Services
☒ www.sec.gov Web Portal
☐ None of the Above

2.1

Section 2: Authority and Purpose of Collection
Describe the project and its purpose or function in the SEC’s IT environment
The Division of Trading and Markets (TM) and the Division of Examinations (EXAMS) utilize SRO Rule
Tracking System (SRTS)/Electronic Form Filing System (EFFS), a secure, web-based electronic filing
application, to process mandatory filings from Self-Regulatory Organizations (SRO) and Systems Compliance
and Integrity (SCI) entities. SRTS is the internal facing component that tracks the workflow supporting the
receipt, assignment, review, and approval/disapproval of the proposed rule change. EFFS is the external facing
component, accessed through a secure website, which manages the accounts for external and non-organizational
users. It is used by national securities exchanges (“exchanges”), national securities associations
(“associations”), clearing agencies (collectively “SRO”), and Systems Compliance and Integrity (SCI) entities
including SCI SROs, SCI alternative trading systems (SCI ATS), plan processors, and exempt clearing agencies
subject to Automation Review Policy (ARP) for form filing (collectively “EFFS Entities”). SCI entities use
EFFS for form filing and public comments and notice. The forms that may be submitted through the EFFS
system are Forms 19b-4, 19b-7 and SCI. Authorized SEC users are able to receive, act upon, and respond
electronically to the filing using SRTS, the application’s internal component. The SRTS component interfaces
with the CAS portal to receive data from Comments Letter within Commission Action System (CAS).

2.2

What specific legal authorities, arrangements, and/or agreements allow the information to be collected?
Page 1 of 8

Privacy Impact Assessment

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)
System of Records Notice (SORN) SEC-25-Information Pertaining or Relevant to SEC Regulated Entities and
Their Activities authorities are 15 U.S.C. 78a et seq., 80a-1 et seq., and 80b-1 et seq. SORN SEC-03- SEC’s
Division of Trading and Markets Records authorities are 15 U.S.C. 77a et seq.; 78a et seq.; 15 U.S.C. 80a-1 et
seq.; 80b-1 et seq.; and rules and regulations adopted by the Commission under the Securities Exchange Act of
1934, and other federal securities laws such as Sections 19 and/or 20 of the Securities Act of 1933; Section 21
of the Securities Exchange Act of 1934; Section 321 of the Trust Indenture Act of 1939; Section 42 of the
Investment Company Act of 1940; Section 209 of the Investment Advisers Act of 1940; and 17 CFR 202.5.
2.3

Does the project use, collect, or maintain Social Security numbers (SSNs)? This includes truncated SSNs.
☒ No
☐ Yes
If yes, provide the purpose of
collection:
If yes, provide the legal authority:

2.4

Do you retrieve data in the system by using a personal identifier?
☐ No
☐ Yes, a SORN is in progress
☒ Yes, there is an existing SORN
SEC-03 Division of Trading and Markets Records
SEC-25 Information Pertaining or Relevant to SEC Regulated Entities and Their Activities

2.5

Is the information covered by the Paperwork Reduction Act of 1995 (PRA)?
☐ No
☒ Yes
OMB 3235-0045 (Rule 19b-4 and Form 19b-4); OMB 3235-0703 (Regulation SCI and Form SCI); OMB
3235-0553 (Rule 19b-7 and Form 19b-7).

2.6

Considering the purpose of the collection, what privacy risks were identified and how were those risks
mitigated?
A potential privacy risk is that information collected could be used inappropriately. This risk is mitigated by
limiting the Personally Identifiable Information (PII) collected to only what is necessary to contact the
submitter for post-filing follow-up and by limiting access to the system to only authorized users with a need to
know such information to perform job duties.

3.1

Section 3: Data Collection, Minimization, and Retention
What information is collected, maintained, used, or disseminated about individuals? Check all that apply.
☐ The system does not collect, maintain, use, or disseminate information about individuals.
Identifying Numbers
☐ Social Security Number
☐ Alien Registration
☐ Financial Accounts
Taxpayer
ID
Driver’s
License
Number
☐
☐
☐ Financial Transactions
☐ Employee ID
☐ Passport Information
☐ Vehicle Identifiers
File/Case
ID
Credit
Card
Number
☐
☐
☐ Employer ID
☐ Other:
General Personal Data
☒ Name
☐ Date of Birth
☐ Marriage Records
Page 2 of 8

Privacy Impact Assessment

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)
☐ Maiden Name
☐ Alias
☐ Gender
☐ Age
☐ Race/Ethnicity
☐ Civil or Criminal History
☐ Other:
Work-Related Data
☐ Occupation
☒ Job Title
☐ Work Address
☐ PIV Card Information
☐ Other:
Distinguishing Features/Biometrics
☐ Fingerprints
☐ Voice Recording
☐ Other:
System Administration/Audit Data
☒ User ID
☐ IP Address
☐ Other:
3.2

☐
☐
☐
☐
☐
☐

Place of Birth
Home Address
Telephone Number
Email Address
Education Records
Zip Code

☐
☐
☐
☐
☐

Financial Information
Medical Information
Military Service
Mother’s Maiden Name
Health Plan Numbers

☒
☒
☐
☒

Telephone Number
Email Address
Certificate/License Number
Fax Number

☐ Salary
☐ Work History
☐ Business Associates

☐
☐

Photographs
Video Recordings

☐ Genetic Information
☐ Voice Signature

☒
☐

Date/Time of Access
Queries Ran

☐ ID Files Accessed
☐ Contents of Files

Why is the Personally Identifiable Information (PII) listed in Question 3.1 collected, used, shared, or
maintained by the system or project?
The system collects the name, phone number, fax number and e-mail address of the individual who filed on
behalf of an SRO or SCI entity from Form 19b-4 via the EFFS component. PII is used to follow-up on a filing
or to send email notification of filing submission.

3.3

Whose information may be collected, used, shared, or maintained by the system?
☒ SEC Employees
Purpose:
Access Control, Monitoring, Audit Trails
☒ SEC Federal Contractors
Access Control, Monitoring, Audit Trails
Purpose:
☐ Interns
Purpose:
☒ Members of the Public
Contact information for the individual who submitted a filing on behalf of an SRO or SCI
Purpose:
entity.
☐
☐
☐
☐

Employee Family Members
Purpose:
Former Employees
Purpose:
Job Applicants
Purpose:
Vendors
Page 3 of 8

Privacy Impact Assessment

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)

☐

3.4

Purpose:
Other:
Purpose:

Describe the PII minimizing mechanisms and if the PII from the system is being used for testing,
training, and/or research efforts.
PII is minimized in the system by only collecting information necessary to contact the submitter for post-filing
follow-up. PII is not used for testing, training, or research efforts. Fictitious data is used for testing; which is
conducted only in the development or stage environments.

3.5

Has a retention schedule been established by the National Archives and Records Administration
(NARA)?
☐ No
☒

Yes
NC1-266-82-1, Item 8 (Forms 19b-4 and 19b-7) – Miscellaneous SEC File Numbers
DAA-0266-2018-0006, Item 2 (Form SCI) – Research, Analysis, and Monitoring Records

3.6

What are the procedures for identification and disposition at the end of the retention period?
Records are maintained until they become inactive, at which time they are retired or destroyed in accordance
with the corresponding retention schedules identified in Section 3.5.

3.7

Will the system monitor members of the public, employees, and/or contractors?
☒ N/A
☐ Members of the Public
Purpose:
☐ Employees
Purpose:
☐ Contractors
Purpose:

3.8

Considering the type of information collected, what privacy risks were identified and how were those
risks mitigated?
The privacy risk is inadvertent or unauthorized disclosure of information that may result in inappropriate use of
personal or non-public information. To minimize this risk, access controls are in place to restrict access to only
the information a user has need to know. SROs and SCIs can only access the data previously submitted by the
entity. Additionally, filing instructions for the forms direct filers to only provide business contact information
to enable the SEC to follow up on the filing.

4.1

Section 4: Openness and Transparency
What forms of privacy notice were provided to the individuals prior to collection of data? Check all that
apply.
☐ Privacy Act Statement
Page 4 of 8

Privacy Impact Assessment

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)
☐ System of Records Notice (SORN)
☒ Privacy Impact Assessment
Date of Last Update: 9/30/2013
☐ Web Privacy Policy
☒ Other notice: Notice of “Official Use Only” is provided on the EFFS login portal
☐ Notice was not provided.
4.2

Considering the method(s) of notice provided, what privacy risks were identified regarding adequate
notice and how were those risks mitigated?
There is minimal risk to privacy regarding adequate notice because the web privacy policy on the EFFS login
page and this PIA provide sufficient notice.

5.1

Section 5: Limits on Uses and Sharing of Information
What methods are used to analyze the data?
The system does not analyze data that is collected.

5.2

Will internal organizations have access to the data?
☐ No
☒ Yes
Organizations: TM, EXAMS

5.3

Describe the risk to privacy from internal sharing and describe how the risks are mitigated.
Risk to internal sharing is minimal because only authorized TM and EXAMS users have access to the system.

5.4

Will external organizations have access to the data?
☒ No
☐ Yes
Organizations:

5.5

Describe the risk to privacy from external sharing and describe how the risks are mitigated.
There is no sharing with external organizations.

6.1

6.2

Section 6: Data Quality and Integrity
Is the information collected directly from the individual or from another source?
☐ Directly from the individual.
SRO and SCI Entities
☒ Other
source(s):
What methods will be used to collect the data?

Page 5 of 8

Privacy Impact Assessment

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)
From the EFFS component, data is collected from external filers using Apache PDFBox. Apache PDFBox is
used to view, fill, sign, and submit the forms within the SRTS component. In addition, Word or Adobe Portable
Document Format (PDF) may be used for documents submitted as exhibits to a form. These exhibits are also
submitted with Apache PDFBox through the SRTS component.
6.3

How will the data collected from individuals, or derived by the system, be checked for accuracy and
completeness?
Data provided by the filers is not checked for accuracy by the system. Filers are notified on the forms that they
are required to provide accurate, comprehensible, and complete information, pursuant to the SEC Rules stated
on the forms. SEC personnel manually review the submissions and use the system to reject filings that are
deemed incomplete or deficient.

6.4

Does the project or system process, or access, PII in any other SEC system?
☒ No
☐ Yes
System(s):

6.5

Consider the sources of the data and methods of collection and discuss the privacy risk for this system
related to data quality and integrity? How are these risks mitigated?
The potential risk is that inaccurate or erroneous information about an individual could be used by SEC
personnel. This risk is minimized because the information is collected directly from the individual, who is
required to provide accurate and complete information pursuant to SEC Rules. SEC personnel return incomplete
or otherwise deficient forms to the filer for correction as described in section 6.3.

7.1

Section 7: Individual Participation
What opportunities are available for individuals to consent to uses, decline to provide information, or opt
out of the project? If no opportunities are available to consent, decline or opt out, please explain.
Entities do not have the opportunity to consent, decline or opt out of the collection of information. They are
required to provide information to the SEC under federal securities laws.

7.2

What procedures are in place to allow individuals to access their information?
Individuals seeking notification of or access to any record contained in this system may submit a request in
writing to the FOIA/PA Officer, Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549-2736.

7.3

Can individuals amend information about themselves in the system? If so, how?
An authorized individual representing and SRO or SCI entity may submit subsequent filings to amend
information previously submitted for a filing. In addition, the authorized individual may submit a request in
writing to the FOIA/Privacy Act Officer, Securities and Exchange Commission, 100 F Street NE, Washington,
DC 20549-2736 or may submit a request electronically to [email protected] or online.

7.4

Discuss the privacy risks related to individual participation and redress. How were these risks mitigated?
Page 6 of 8

Privacy Impact Assessment

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)
There are no identified privacy risks related to individual participation because information is only collected
from entities. No mitigation actions are recommended. SORN SEC-03 and SEC-25 provides notice for
participation and redress for information collected and maintained in this system.
8.1

Section 8: Security
Can the system be accessed outside of a connected SEC network?
☐ No
☒ Yes (EFFS is the outward public-facing portal.)
If yes, is secured authentication required?
Is the session encrypted?

☐
☐

No
No

☒
☒

Yes
Yes

8.2

Does the site have a posted privacy notice?
☐ No
☐ Yes
☒ N/A

8.3

Does the project or system use web measurement and/or customization technologies?
☒ No
☐ Yes, but they do not collect PII
☐

9.1

☐
☐

Not Applicable
Not Applicable

Yes, and they collect PII

Section 9: Accountability and Auditing
Describe what privacy training is provided to users, either general or specific to the system or project.

All SEC staff and contractors receive initial and annual privacy awareness training, which outlines roles and
responsibilities for proper handling and protection of PII. SEC Rules of the Road ensure that employees and
contractors are aware of their security responsibilities and how to fulfill them.
9.2

Does the system generate reports that contain information on individuals?
☒ No
☐ Yes

9.3

Do contracts for the system include Federal Acquisition Regulation (FAR) and other applicable clauses
ensuring adherence to the privacy provisions and practices?
☐ No
☐ Yes
☒ This is not a contractor operated system

9.4

Does the system employ audit logging or event logging?
☐ No
☒ Yes

Page 7 of 8

Privacy Impact Assessment

SRO Rule Tracking System (SRTS)/Electronic Form Filing System (EFFS)
9.5

Given the sensitivity of the PII in the system, manner of use, and established safeguards, describe the
expected residual risk related to access.
Access to SRTS/EFFS is limited only to authorized SEC staff and authorized individuals representing entities.
The risk to privacy related to access is minimized because role based access control and other security
mechanisms are implemented to safeguard the system.

Page 8 of 8