An official website of the United States government.

This is not the current EPA website. To navigate to the current EPA website, please go to This website is historical material reflecting the EPA website as it existed on January 19, 2021. This website is no longer updated and links to external websites and some internal pages may not work. More information »

Privacy Impact Assessment for the Confidential Business Information Records Access System for the Toxic Control Substances Act

On this page:

I. Data in the System

  1. Generally describe what data/information will be collected in the system.

    Data in the system pertains to information on submissions received by EPA associated with the Toxic Control Substances Act (TSCA) and does not include Privacy Act Information. The system also includes data on EPA staff and contractors who are Confidential Business Information (CBI) cleared based on information they provide on form EPA 7740-6. Data from this form may include social security numbers if staff choose to provide this information rather than a 9 digit unique identifier.

  2. What are the sources and types of the information in the system?

    Data on submissions is drawn directly from the submissions themselves. Data on CBI certified individuals is taken from form EPA 7740-6.

  3. How will the data be used by the Agency?

    Submission data is used to track TSCA submissions. Data on CBI certified personnel is used for puposes of tracking when and who has checked out TSCA submissions from the OPPT Confidential Business Information Center. Social security numbers or the 9 digit unique identifier are used to identify each person in ORACLE/CBITs that applies for access to TSCA CBI. Access to the social security information in the system is limited to a small number of selected individuals.

  4. Why is the information being collected? (Purpose)

    Submission data is required under TSCA. CBI clearance information is requested on Form 7740-6 required by the TSCA CBI Manual.

Top of Page

II. Access to the Data

  1. Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?

    Data in the system is only accessible by approved individuals who are CBI certified and have submitted form 7740-25 (TSCA CBI Automated Data Processing User Registration Form), including both selected EPA and contract staff. The FAR clauses are included in the SOW for contractor support pertaining to use and access of the system.

  2. What controls are in place to prevent the misuse of data by those having authorized access?

    Access to data is limited to those who are CBI cleared and have been given access to the information. All staff are fully trained on CBI and can only access the data in a designated Secure Storage Area. Social security number or the 9 digit unique identifier are used to identify each person that applies for access to TSCA CBI.

  3. Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)


  4. Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)


  5. Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)

    Yes. For CBI certification they can choose to create a 9 digit unique identifier that is not their social security number.

Top of Page

III. Attributes of the Data

  1. Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.

    9 digit unique identifier is used solely for tracking which CBI certified individual has checked out TSCA submissions from the OPPT Confidential Business Information Center.

  2. If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.

    Not applicable.

  3. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.

    Not applicable.

  4. How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)

    When checking out submissions to CBI certified staff, their information (e.g., name, organization, etc.) can be retrieved by their name or 9 digit unique identifier.

  5. Is the Web privacy policy machine readable? Where is the policy stated? (Machine readable technology enables visitors to easily identify privacy policies and make an informed choice about whether to conduct business with that site.)

    Not applicable.

Top of Page

IV. Maintenance of Administrative Controls

  1. Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)

    Yes. The following schedules apply to the data in the system: 247, 248, 260, 261, 292, 295, 372, 624

  2. While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely and complete to ensure fairness in making determinations?

    Not applicable.

  3. Will this system provide the capability to identify, locate and monitor individuals? If yes, explain.


  4. Does the system use any persistent tracking technologies?


  5. Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)


Top of Page