Privacy Impact Assessment for the Office of Administrative Services Information System
On this page:
- I. Data in the System
- II. Access to the Data
- III. Attributes of the Data
- IV. Maintenance of Administrative Controls
I. Data in the System
Generally describe what data/information will be collected in the system.
- Employee name
- Social security number
- Office address
- Home address
- Office and home phone number
- Pay grade
- Emergency contact information
- Facility information
- Mail routings
- Parking, car pool, and transit information
- Fitness Center membership information
- Motor pool information
- Locks, combos, credentials and incident reports
- EPA property
- Physical vulnerabilities of EPA facilities and mitigations
- Mail address of recipient and sender
- Costs of postage
- Print job number and cost
PERSONNEL SECURITY INFORMATION
- Background Information
- Employee Name
- Social Security Number
- Pay Grade
- Security Level
- Finger Prints
- SF-85 & SF-86 Information
- Risk Designation
What are the sources and types of the information in the system?
Employees supply the information on the application form. Employee records from People Plus system. Background information comes from OPM, FBI and State Department. Fitness System requires information from the employees Doctor.
How will the data be used by the Agency?
To assist the Office of Administration and Resource Management (OARM) in the management of EPA's human resource programs, including employee benefits and services. Facilitate the maintenance, and operations of all EPA facilities, including: space management and utilization; facilities construction, acquisition, design, and layout; facilities management, maintenance and repairs, property management, transportation, security, background information, clearances, mail management; and the workplace health and safety of EPA employees.
Why is the information being collected? (Purpose)
To administer and manage administrative resources for the EPA. As well as incorporate the collection of background information of each employee as per Homeland Security Presidential Directive - 12
II. Access to the Data
Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?
Authorized EPA and contractors employees have access to the data. The standard privacy FAR clauses are in the contract.
What controls are in place to prevent the misuse of data by those having authorized access?
The access to this system is limited to a few individuals who have user ID's and passwords. These individuals must have annual security training. Employees must read and sign IT rules of behavior.
Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)
No other system has access to OASIS data.
Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)
No other agency has access to OASIS data. This system is internal to EPA.
Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)
Yes, individuals have the opportunity to decline to provide private information at the time they fill out the application, with the exception of background information as required by Homeland Presidential Directive - 12, which is mandatory by all federal employees.
III. Attributes of the Data
Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.
The data are necessary to determine eligibility for services and to facilitate access to EPA-controlled facilities and information technology systems.
If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.
If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)
Data can be retrieved by employee's name or social security number
Not applicable. Access to system is limited to a few EPA personnel and contractors.
IV. Maintenance of Administrative Controls
Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)
The record control schedule established for this system is 740. The volume of OASIS data is currently so small, 20GB, that the retention period of the OASIS data is currently indefinite.
While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
For EPA employee data, every other week we synchronize our data with the data generated by the EPA PeoplePlus system. For all other data, it is the responsibility of the users to keep their data accurate, relevant, timely and complete.
Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
Yes, by office, name, location phone number, home address , home phone.
Does the system use any persistent tracking technologies?
Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)
EPA - 41 Office of Administrative Services Information System (OASIS)