We've made some changes to EPA.gov. If the information you are looking for is not here, you may be able to find it on the EPA Web Archive or the January 19, 2017 Web Snapshot.

Privacy Impact Assessment for the Central Data Exchange

On this page:


I. Data in the System

  1. Generally describe what information will be collected in the system.

    This system contains records including individual's name, self- assigned user name and security question, work title, work address and related work contact information (e.g., phone and fax numbers, E-mail address), supervisor's name and related contact information, and information related to the EPA reporting program the individual is planning to electronically file or report under (e.g., EPA program ID # and EPA program role) and the method of reporting (web browser, file exchange). For obtaining authorization to use certain applications, (e.g., Toxic Release Inventory Form R), individuals may be asked to provide personal information such as date of birth, mother's maiden name, or date of high school graduation, however these data are passed to the program system and not stored within the CDX registration system. The individual registering for CDX will also generate a self-assigned password that will be stored on the CDX-CRS, but it will only be accessible to the registering individual. The system will also store other system-generated data such as the registration date and time, digital certificate identifier and other identifiers for internal tracking. CDX does not create a specific personal identifier number for registrants.

  2. What are the sources and types of the information in the system?

    This system contains records on all individuals that have either attempted to register or have registered to obtain an account to use CDX for electronically exchanging data with EPA. Registered users of EPA's CDX-CRS may include representatives of industry, government or laboratories exchanging information with EPA through CDX.

  3. How will the data be used by the Agency?

    The data may be used in the following manners:

    1. To verify the identity of the individual
    2. To enforce the conditions or terms of Agency program regulations
    3. To investigate possible fraud and verify compliance with Agency program regulations
    4. To prepare for litigation or to litigate collection service and audit
    5. To initiate a limitation, suspension and termination (LS&T), debarment or suspension action
    6. To investigate complaints, update files and correct errors
  4. Why is the information being collected? (Purpose)

    (Purpose) Primarily to protect CDX and its users from potential damage from unauthorized users. This information is needed to provide assurance to EPA, that the customers of the system are appropriately identified to EPA. In this way EPA can protect itself and its customers from potential impacts if CDX or the data submitted through CDX were somehow compromised. Information is being collected only if EPA's external customers (industry, laboratories, states, etc.) voluntarily opt to choose to submit compliance data electronically to EPA.

Top of Page


II. Access to the Data

  1. Who will have access to the data in the system? (inside and outside parties)

    Access to information in the system will be granted to the following personnel/for the following purposes:

    • Disclosure for Law Enforcement
    • Disclosure to a Requesting Agency
    • Disclosure to Congressional Offices
    • Disclosure to Department of Justice
    • Disclosure to the National Archives
    • Disclosure to Contractors, Grantees and Others
    • Disclosure for Administrative Claims, Complaints and Appeals
    • Disclosure in Connection With Litigation

    The agency will also provide access to users of the system and system administrators who are EPA contractors. In rare instances, developers and other managers may be granted access. The Agency may disclose records to a researcher if an appropriate official of the Agency determines that the individual or organization to which the disclosure would be made is qualified to carry out specific research related to functions or purposes of this system of records. The official may disclose records from this system of records to that researcher solely for the purpose of carrying out that research related to the functions or purposes of this system of records. The researcher shall be required to maintain Privacy Act safeguards with respect to the disclosed records.

  2. What controls are in place to prevent the misuse of data by those having access?

    • All EPA Personnel and contractors working under the EPA's CDX contract go through background investigations based on level of access with separation of duties for audit purposes.

    • Security Controls are based primarily on Oracle Security Controls on an Windows NT Enterprise Server platform scanned by ESM monitor for security compliance.

    • Data is stored in views to provide additional layer of protection against unauthorized access to data base tables

    • Users may only access their "MyCDX" private directory which contains the forms/applications they have been approved to use for exchanging data with EPA. They can only modify the data they enter on forms/templates CDX provides and cannot access data in EPA systems. Should they try to gain access to restricted areas, CDX is separated from EPA programmatic data by additional security/firewall barriers. The CDX architecture is designed to make the ability of users to leverage CDX access to gain entry into unintended areas extraordinarily difficult.

    Another form of misuse could be in the context of "fraud". A CDX user could attempt to fraudulently submit data through a CDX webform/template. To mitigate this, CDX has instituted additional certifications, verifications, and archiving steps to ensure that EPA can take legal action against fraudulent submissions. These steps augment EPA programs' existing compliance- checking routines on the data received from their regulated communities and regulatory partners.

  3. Do other systems share data or have access to data in this system? If yes, explain.

    Yes. CDX is the Agency's portal for exchanging environmental data across heterogeneous systems. Therefore, a primary function of CDX is to connect and to exchange environmental data between EPA program systems and its many external partners. In providing this service, CDX may either exchange data from external users directly to program data systems or post data received from external users to a secure directory from which an EPA program may access and download. In both instances CDX deploys an architecture that serves as a secure bridge between EPA's internal data systems and its many external data sharing partners.

  4. Who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)

    Privacy Act responsibilities have been assigned to several individuals:

    • Connie Dwyer, Chief of Central Receiving Branch is responsible for overall management of the CDX branch;

    • Wendy Timm, CDX project officer responsible for ensuring that the CDX contractor staff are aware of and fulfill requirements under the contract for the management of Privacy Act data; responsible for ensuring the proper implementation of regulatory and policy requirements on the CDX project;

    • Chris Clark and Greg Mitchell, CDX technology experts responsible for ensuring the proper technical implementation of security requirements

  5. Will other agencies, state or local governments share data or have access to data in this system? (Includes any entity external to EPA.)

    Agencies that may obtain information include, but are not limited to: the Office of Personnel Management, Office of Special Counsel, Merit Systems Protection Board, Federal Labor Relations Authority, Equal Employment Opportunity Commission, and Office of Government Ethics. If the Agency determines that disclosure of certain records to a party, counsel, representative or witness in an administrative proceeding is relevant and necessary to the litigation, the Agency may disclose those records as a routine use to the party, counsel, representative or witness.

  6. Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)

    Yes, CDX provides users the opportunity to decline to provide information at several stages. First, all individuals electing to use CDX are provided advance notice that the use of CDX is voluntary and they may still opt to use paper or other alternative methods of filing electronically. Secondly, for those that opt to use CDX, they must first access CDX through a web page that include a warning and links to a Privacy Act Notice, that is consistent with federal and EPA standards. Finally, prior to submitting information, individuals are prompted through "pop-ups" that ask if they are ready to send or wish to cancel.

  7. How will the information be secured?

    Within EPA, CDX secures information through a series of controls under an EPA approved security plan that include physical access controls, management control and information security controls. CDX has also successfully undergone risk assessments and vulnerability testing of these security controls. We also perform annual self assessments [the ASSERT] following NIST Guidelines to evaluate the safety and security of sensitive data classified in the Central Data Exchange. As discussed in question II.2, we also maintain security by ensuring that:

    • All Contract/EPA Personnel go through background investigations based on level of access with separation of duties for audit purposes.

    • Security Controls are based primarily on Oracle Security Controls on an Windows NT Enterprise Server platform scanned by ESM monitor for security compliance.

    • Data is stored in views to provide additional layer of protection against unauthorized access to data base tables.

Top of Page


III. Attributes of the Data

  1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed?

    As discussed under Section I (3) and I (4), the purpose of CDX is to offer EPA's customers the service option of filing reports electronically. Secure access to electronic exchange services requires EPA to establish a level of assurance associated with each user that is commensurate with the risks presented by a particular data exchange. To establish the necessary level of assurance, a user must provide sufficient information about themselves to ensure EPA that their identity is authenticate and to ensure they are provided authorization to the appropriate services. Absent this information EPA has no way of protecting the system from potential abuse, nor does the user have assurance that their data are protected.

  2. If data are being consolidated, what controls are in place to protect the data from unauthorized access or use?

    CDX is the Agency's portal for exchanging environmental data across heterogeneous systems. Therefore, a primary function of CDX is to consolidate the processes associated with exchanging environmental data between EPA program systems and its many external partners. In providing this service, CDX design utilizes table views through data base management systems to provide secured access to consolidated data. Access is granted through roles/privileges which have been administered for appropriate level of access to data.

  3. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access?

    Explain. CDX was designed as a consolidated process for collecting data electronically and therefore all security controls were designed with the place security controls that are appropriate for a consolidated process. These controls, as discussed above, are described in detail in an EPA-approved security plan and have been successfully tested through a series of vulnerability tests.

  4. How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain.

    No. Data is not retrieved by a personal identifier, nor does CDX generate such a number. Data may be retrieved from the system through a number of different ways-individual's address, last name or other searchable data provided by the registrant at the time of registration. Registered users must generate a password to access the system, however CDX staff can not access the user's self generated personal password on this system. These data are stored in an encrypted directory accessible only to the individual registrant. Registration data are maintained in a secure environment and can only be retrieved by the CDX system management and help desk staff, composed of a very small number of individuals that have undergone specific training and background checks as part of their responsibilities.

  5. What achievements of goals for machine readability have been incorporated into this system? Where is the policy stated? (Machine readable technology enables visitors to easily identify privacy policies and make an informed choice about whether to conduct business with that site.)

    To address Section 508 design requirements, as part of its initial design CDX avoided highly complex java-scripting and relied on fairly simple .asp web pages to avoid problems associated with machine readability. This allows visitors using machine reader technology unhindered access to materials, including Privacy Act policies, on the CDX website.

Top of Page


IV. Maintenance of Administrative Controls

  1. What are the retention periods of data in this system? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject data.)

    CDX is coordinating with the Headquarters Records Officer to develop a record schedule. At this time CDX is defining record retention as "indefinite" as per instructions from the HRO. Upon completion of the record schedule within approximately the next 18 months, the retention of CDX records will be more narrowly defined. At that time, the CDX record schedule should be posted.

  2. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented?

    OEI is in the process of developing a record retention system in accordance with NARA guidelines. Current documentation is in the implementation plan in our CDX design document.

  3. While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

    Users will periodically have to review their password and validate submissions. Digital signature users will be asked to certify to the truth and accuracy of their data.

  4. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

    In order to ensure that CDX can notify an individual user if there are problems (corrupted files submitted, appearance of hacking or misuse of system, potential legal/enforcement issue posed by data submitted, etc.) CDX must be able to identify, locate and audit individuals while using the system. EPA's CDX does not make use of persistent cookies or other devices that enable monitoring beyond the user's access to CDX while the user is online. CDX User Registration provides mailing address and contact information for user IDs tied to all registered individuals. Archive-1 procedure identifies all update activities performed by individual users actions by user ID.

  5. Is there any persistent tracking technology available?

    CDX does not have persistent tracking technology, but does deploy software used to maintain audit and recovery of records of specific transactions. This software could be called to record all activity during a particular web session, however this is not used due to server processing demands, nor is it necessary for audit purposes.

  6. Under which System of Records notice (SOR) does the system operate? Provide the name of system and number if applicable. ( A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual. The Privacy Act Officer will ensure that a SOR is developed for your system if necessary.)

    The notice was published March 18, 2002, vol. 67, number 52 (pg. 12010-12013)-EPA-52

  7. If the system is being modified, will the SOR require amendment or revision? Explain.

    CDX believes that there will be times when the SOR will need to be updated to reflect changes to the system. Such changes could involve adding new EPA applications to CDX that would expand the collection of privacy information, or significant changes to the internal CDX security procedures or other events in response to new EPA or federal polices and guidance. When such changes occur CDX will publish an update to the SOR describing these changes.

Top of Page