Privacy Impact Assessment for the EPA Acquisition System
On this page:
- I. Data in the System
- II. Access to the Data
- III. Attributes of the Data
- IV. Maintenance of Administrative Controls
I. Data in the System
Generally describe what data/information will be collected in the system.
The data in the EAS is that required and or allowed under the Federal Acquisition Regulations (FAR) for the business process of acquiring goods and services in support of the Agency's mission. This includes planning, solicitation, award, contract administration and close out of contracts and purchase orders
What are the sources and types of the information in the system?
The sources of the data are the EPA internal acquisition process, the EPA financial systems and the vendor/contracting community. Contractor and vendor data in the system is also provided by the General Services Administration (GSA) managed Shared System Inventory which is part of the President's Management Agenda Integrated Acquisition Environment (IAE). The following types of information may be included in EAS:
- Acquisition/Buying: Contract or Purchase Vehicle including statement of work or specification, Funding Vehicle
- Location: Location
- Financial: Obligations and Commitments; Funds Management; Program Information; Planning and Performance Information
- Human Asset: Person; Business Card; Information Technology Access Information; Organization Contractor information, which includes the name of the contractor or vender and their tax information number will be included in the EAS from the IAE Contractor Registry maintained for government wide use by the GSA. Data on the contractor or vendor may consist of their organization DUNS number and the contract or proposal provided by the applicant either on paper through a response to proposal, unsolicited proposal or electronically by an applicant responding to online auctions, reverse auctions or other electronic notice and entering the data. Information on EPA employees comes from the Agency payroll system. Data on the decision to award the contract or purchase order, award information, and funding information will be pulled by the system from earlier document input (such as the acquisition initiation documents) or input in the system by EPA employees.
How will the data be used by the Agency?
Data is used as described in the Federal Acquisition Regulations (FAR), the EPA Acquisition Regulations (EPAAR) and the EPA Contracts Administration Manual (CMM). The proposal data is evaluated by the Agency to determine whether or not it will result in award. Data will also be used to administer (manage) contracts or purchase orders in accordance with the FAR part 42 and related sections. Person and organization data on applicants are used to contact the applicant and the DUNS and tax ID number will be used to identify the organization, company or sole proprietor for payment purposes.
Why is the information being collected? (Purpose)
The data will be collected to accomplish the business process of acquiring goods and services in support of the Agency's mission. The data is also used to provide Congress and other Government agencies information on compliance with socioeconomic programs and to respond to inquires for public information.
II. Access to the Data
Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?
Contractors or vendors that propose or respond electronically will have access to their own data but no other organization's data. No other external entity will have access to data in EAS. The EAS may be maintained by contractors or by EPA employees. If operated/maintained by contractor, it will be a limited group of contractor staff who operate the EAS and the User Help Desk. The EAS may share resources with other government agencies under collaboration initiatives such as the IAE and the privacy impact statement will be updated if a resource sharing strategy or solution is identified.
Contractors or government employees supporting the EAS may have access to all the data in EAS and must all sign agreements for non-disclosure of information. Clauses will be included in the COTS acquisition contract and in support contracts for the investment, testing and system support which will define contractor requirements and responsibilities relative to developing Privacy Act Systems of Records and handling data protected by the Privacy Act. The clauses that will be required in the BY2007 solicitation are defined by the FAR, EPAAR and CMM. Additional clauses may be required due to changes in legislation.
EPA employees only have access to contract data for which they are involved in review, approval, funding or management. EPA employees also have access to award information on all contracts. OAM managers and the EAS system managers will have access to broader or perhaps all of the data, depending upon the COTS products and collaboration arrangements determined in BY 2007.
The solicitation for and award of the successful COTS contract will included FAR clauses 24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act.
What controls are in place to prevent the misuse of data by those having authorized access?
The acquisition functions are defined within the FAR and only specific individuals may perform certain functions. It is therefore reasonable to assume that the successful COTS will specify the different Roles the user can have in the system. The ability to create documents and perform various system functions will be determined by user Roles. Each authorized user of the system will have a record within the Agency and COTS determined configuration. Local management will determine what roles staff can hold in the system. User access and roles will be re-authorized whenever a change is made to the system or individuals privileged within the system. The overall review of the roles will be no less often than annually.
EPA staff are and will be subject to agreements, rules of behavior and Agency guidance, orders, regulations and laws as well. By controlling the level of access for specific individuals, the risk of misuse is minimized. Additionally, strict adherence to records/information management standard operating procedures is enforced as much as practicable by Agency records officers/liaisons and the respective supervisors and managers and contract administrators of system users. The types of changes that a privileged user may make to a document shall be further restricted by the Roles or other method that is within the industry best practices when the COTS is selected.
Periodic training will be provided to system users, and application-specific training will be available either as scheduled or on a one-on-one basis. Specific EAS Security training and acknowledgment of the System Rules of Behavior on an annual basis will be required for all EAS users in FY2007. Federal IT staff with access to EAS data will be identified as occuping positions of a moderate level of public trust and are trained accordingly. Contractor personnel with access to the data will be required to sign non-disclosure agreements.
Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)
The EAS will be tightly integrated with the new EPA financial system that will complete implementation in FY 2010. The requirements for integration of the systems is defined by the Office Of Federal Financial Management (OFFM) documents on integration of acquisition and financial systems. The Joint Financial Management Improvement Program (JFMIP) was incorporated in the OFFM in December 2004. The system manager for the EAS will retain responsibility for privacy rights of the individuals affected by the interface.
The EAS will share data with the IAE shared system inventory. The amount of integration of the systems is not yet determined.
Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)
Data that should be or will be standardized throughout the Federal Government that is in the system will be acquired from and/or provided to the appropriate components of the IAE shared system inventory as provided by the e-Government initiatives. Specific systems that will share data will be defined in BY2006 and 2007 after market research and review of any proposed new or revised IAE components.
Process results such as contracts, purchase orders and other actions that are public information will be available to the public through the government wide access portals as provided by the IAE in FY 2007.
Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)
The system will provide opportunity to decline to provide information or consent to particular uses of the information. Information that is required by legislation to be disclosed to the public may be required to complete certain acquisition actions. Failure to disclose the information may result in the contractor or vendor being ineligible for award. The process and data is defined in the FAR and in the various solicitation vehicles.
III. Attributes of the Data
Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.
The data that will be collected will be directly relevant to the application, approval, award, analysis and management of contracts and purchase orders. It allows the Agency to determine if the applicant meets the qualifications for the award. The data provides information needed to maintain contact with the contractor or vendor during the life of the acquisition, as well as information necessary to make payments and comply with socio economic programs of the Federal Government. The collection of this information is governed by law and regulation. The information collection for the legacy systems that this proposed investment replaces has been approved by OMB, meeting the requirements of the Paperwork Reduction Act.
If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.
Data will be consolidated to provide reports and responses to inquiries. Information on individuals is not provided in public reports or websites.
If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
Processes are not being consolidated in these applications.
How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)
The data retrieval will be based upon the elements such as company name, DUNS number, location or ownership information. The specific requirements for the COTS system have not been completed, however, data retrieval plans within the COTS systems that will be evaluated and are a significant consideration in the selection process. The sole proprietor or owner of a privately held company may be uniquely identified within the system.
What achievements of goals for machine readability have been incorporated into this system? Where is the policy stated? (Machine readable technology enables visitors to easily identify privacy policies and make an informed choice about whether to conduct business with that site.)
Any portal available to the public for use related to the EAS will:
- collect only information that is relevant and necessary to carry out an agency function;
- maintain no secret records on individuals;
- explain at the time the information is being collected, why it is needed and how it will be used; ensure that the records are used only for the reasons given, or seek the person's permission when another purpose for the record's use is considered necessary or desirable;
- provide adequate safeguards to protect the records from unauthorized access and disclosure; and
- allow people to see the records kept on them and provide them with the opportunity to correct inaccuracies in their records.
The system will include the privacy act requirements as defined in Code of Federal Regulations, TITLE 40--Protection of Environment, CHAPTER I--ENVIRONMENTAL PROTECTION AGENCY, SUBCHAPTER A – GENERAL, PART 16--IMPLEMENTATION OF PRIVACY ACT OF 1974
IV. Maintenance of Administrative Controls
Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)
The schedule for retention of electronic records in the proposed EAS has not been established. A trade off analysis will be required to determine which records will be retained in various media types. The retention schedule for the electronic records in the EAS will be completed in BY 2007; however, the requirements that will be used in the trade off analysis for determining that schedule are included in the FAR part 4.805, copied below:
- Agencies must prescribe procedures for the handling, storing, and disposing of contract files. These procedures must take into account documents held in all types of media, including microfilm and various electronic media. Agencies may change the original medium to facilitate storage as long as the requirements of Part 4, law and other regulations are satisfied. The process used to create and store records must record and reproduce the original document, including signatures and other written and graphic images completely, accurately, and clearly. Data transfer, storage, and retrieval procedures must protect the original data from alteration. Unless law or other regulations require signed originals to be kept, they may be destroyed after the responsible agency official verifies that record copies on alternate media and copies reproduced from the record copy are accurate, complete and clear representations of the originals. Agency procedures for contract file disposal must include provisions that the documents specified in paragraph (b) of this section may not be destroyed before the times indicated and may be retained longer if the responsible agency official determines that the files have future value to the Government. When original documents have been converted to alternate media for storage, the requirements in paragraph (b) of this section also apply to the record copies in the alternate media.
- If administrative records are mixed with program records and cannot be economically segregated, the entire file should be kept for the period of time approved for the program records. Similarly, if documents, describe in the following table are part of a subject or case file which documents activities that are not described in the table, they should be treated in the same manner as the files of which they are a part. The retention periods for acquisitions at or below the simplified acquisition threshold also apply to acquisitions conducted prior to July 3, 1995, that used small purchase procedures. The retention periods for acquisitions above the simplified acquisition threshold also apply to acquisitions conducted prior to July 3, 1995, that used other than small purchase procedures. Document Retention Period
- Records pertaining to Contract Disputes Act actions. 6 years and 3 months after final action or decision for files created prior to October 1, 1979. 1 year after final action or decision for files created on or after October 1, 1979.
- Contracts (and related records or documents, including successful proposals) exceeding the simplified acquisition threshold for other than construction. 6 years and 3 months after final payment.
- Contracts (and related records or documents, including successful proposals) at or below the simplified acquisition threshold for other than construction. 3 years after final payment.
- Construction contracts:
- Above $2,000 6 years and 3 months after final payment
- $2,000 or less 3 years after final payment.
- Related records or documents, including successful proposals, except for contractor's payrolls (see (b)(4)(iv)). Same as contract file.
- Contractor's payrolls submitted in accordance with Department of Labor regulations, with related certifications, anti-kickback affidavits, and other related papers. 3 years after contract completion unless contract performance is the subject of an enforcement action on that date.
- Solicited and unsolicited unsuccessful offerors, quotations, bids, and proposals:
- Relating to contracts above the simplified acquisition threshold. If filed separately from contract file, until contract is completed. Otherwise, the same as related contract file.
- Relating to contracts at or below the simplified acquisition threshold. 1 year after date of award or until final payment, whichever is later.
- Files for canceled solicitations. 5 years after cancellation.
- Other copies of procurement file records used by component elements of a contracting office for administrative purposes. Upon termination or completion.
- Documents pertaining generally to the contractor as described at 4.801(c)(3). Until superseded or obsolete.
- Data submitted to the Federal Procurement Data System (FPDS). Electronic data file maintained by fiscal year, containing unclassified records of all procurements other than simplified acquisitions, and information required under 4.601. 5 years after submittal to FPDS.
- Investigations, cases pending or in litigation (including protests), or similar matters. Until final clearance or settlement, or, if related to a document identified in (b)(1)-(9), for the retention period specified for the related document, whichever is later.
The requirement for records retention for Title 42, Chapter 103 (Superfund) is 30 years.
While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
In BY 2007, the data in the system will be used for creating the legal record of the acquisition which will be a paper document produced by the system and signed by appropriate parties. The EAS will include significant increases in use of E-Authentication in BY 2008 and 2009. EAS will eventually rely on the system data as the basis for determinations and awards. The integrity of the data will be provided by security measures for the moderate sensitivity, integrity and availability level as defined in the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-60, Federal Information Processing Standard (FIPS) 199. The controls are currently specified in the NIST SP 800-53 and those controls will be tested in accordance with the NIST SP 800-53A. The security plan for the system will be drafted in the first quarter of by 2007 in accordance with the investment plan provided under the CPIC process.
Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
The system will provide the capability to identify and monitor input under the security requirements. The audit functions such as audit trails for incident response capabilities will permit system administrators to identify problems and track the input back to the originator. The system will not be designed to monitor individuals or their input other than the minimum required to secure the system.
Does the system use any persistent tracking technologies?
Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)
The system does not operate under a System of Records notice.