Privacy Impact Assessment for the Integrated Contracts Management System
On this page:
- I. Data in the System
- II. Access to the Data
- III. Attributes of the Data
- IV. Maintenance of Administrative Controls
I. Data in the System
Generally describe what data/information will be collected in the system.
ICMS includes the ICMS application, the Small Purchase Electronic Data Interchange (SPEDI) and the Program Office Interface (POI). The data collected and stored in the ICMS applications is that required and/or allowed under the Federal Acquisition Regulations (FAR) for the business process of acquiring goods and services in support of the Agency's mission. This includes planning, solicitation, award, contract administration and close out of contracts and purchase orders.
What are the sources and types of the information in the system?
The sources of the data are the EPA internal acquisition process, the EPA financial systems and vendor/contracting community. Line of accounting data is retrieved from EPA's Integrated Financial Management System (IFMS). EPA employee information is provided by periodic downloads from the Agency payroll system. Contractor and vendor data in the system is provided by the vendor, via the Department of Defense supported Central Contractor Registry (CCR), under the auspices of the General Services Administration (GSA) managed Integrated Acquisition Environment (IAE), which is an e-Government initiative of the President's Management Agenda.
Types of information in the system are:
- Acquisition/Buying - Contract or purchase vehicle including statement of work or specification, funding vehicle
- Location - Location where work is to be performed or goods are to be delivered
- Financial - Obligations and commitments, funds management, program information, planning and performance information
- Human Asset - EPA contracting and program staff with roles in awarding and/or administering contracts and purchase orders, contractor points of contact, business card and organization information
- Contractor information - Contractor name, taxpayer identifier number (TIN), Dunn and Bradstreet number (DUNS), and other information provided by the vendor through the CCR
How will the data be used by the Agency?
Data is used as described in the FAR, the EPA Acquisition Regulations (EPAAR) and the EPA Contracts Management Manual (CMM). Data is used to administer contracts and purchase orders in accordance FAR part 42 and related sections. Business card and organization information is used for communicating with individuals in relation to the award and administration of the contract. DUNS and TIN numbers are used to identify the organization, company or sole proprietor for payment purposes.
Why is the information being collected? (Purpose)
The data is collected to accomplish the business process of acquiring goods and services in support of the Agency's mission. The data is also used to provide Congress and other Government agencies information on EPA's accomplishments toward meeting socio economic goals and to respond to inquiries for public information.
II. Access to the Data
Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?
EPA's acquisition personnel and some of OAM's Federal information technology staff have access to the data in the systems. Acquisition personnel are limited to contracts and/or small purchase actions in ICMS and SPEDI that are assigned to them. POI users include Federal program and contracting personnel, and a very limited number of contractors. These users are restricted to specific contracts through access control lists. A small number of IT contractors supporting ICMS and SPEDI have access to data for the purposes of researching problems and maintaining the applications.
What controls are in place to prevent the misuse of data by those having authorized access?
EPA acquisition personnel are trained as part of their jobs to understand the sensitivity of procurement related data. Some data is sensitive during some phases of the business process, but public after contract award. Other data is always protected as sensitive, described as Confidential Business Information (CBI) or Confidential Agency Information (CAI). Ethics and security awareness training is required for acquisition personnel and they are subject to Rules of Behavior. Their access to data is limited to specific contracts.
Federal IT staff with access to ICMS data are identified as occuping positions of a moderate level of public trust and are trained accordingly. Contractor personnel with access to ICMS data are required to sign non-disclosure agreements.
Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)
No other systems have direct access to data in these applications.
The ICMS applications retrieve line of accounting data from EPA's Integrated Financial Management System (IFMS) and ICMS receives batch updates from EPA's payroll system. The payroll data received by ICMS is used to identify EPA employees who are assigned management roles on Agency contracts. Social Security Numbers (SSN) are included in the data but are not visible or accessible to users. The information used in the acquisition process, which may be printed on official documents (i.e., contracts and purchase orders) is limited to name, title and other business card type information. SPEDI receives Purchase Request (PR) data from E-Forms and sends obligation data to IFMS.
ICMS and SPEDI have links to external systems included in the shared systems inventory of the Integrated Acquisition Environment (IAE), an e-Gov initiative under the President's Management Agenda. The link to the Federal Procurement Data System - Next Generation (FPDS-NG) is the means by which EPA reports contract actions to this government-wide database, as required by law. Both ICMS and SPEDI can create synopses of solicitations which are sent by email to the Federal Business Opportunities (FBO) website for posting. OAM receives vendor data from the government-wide Central Contractor Registry (CCR). The vendor data from CCR is used by ICMS and SPEDI as required in the acquisition business process.
Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)
The only data from ICMS and SPEDI that is provided outside the Agency is the contract action data reported to FPDS-NG, synopses of solicitations posted to the FBO web site, full-text solicitations and the Active Contracts List posted on EPA's web site. FPDS-NG is a public access system for post-award contract data which is required by law to be available to the public.
Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)
The ICMS systems do not collect information from individuals. As noted above, the only information about individuals used in the systems is the information about Federal employees received from the EPA payroll system and vendor information received from the CCR.
III. Attributes of the Data
Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.
The data in the ICMS applications is required and/or allowed under the FAR for the business process of acquiring goods and services in support of the Agency's mission. This includes contract initiation, solicitation, award, contract administration and close out of contracts and purchase orders.
If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.
Acquisition data is consolidated only to provide reports and responses to inquiries. As noted above, the only data from sources outside OAM used in these applications is EPA federal personnel and financial data, and vendor data provided by vendors to the government-wide CCR database.
If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
Processes are not being consolidated in these applications.
How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)
Data is retrieved by EPA acquisition personnel only. EPA employee information is incorporated into ICMS by users selecting names from a drop-down list. Social Security Number is used within the system for unique identification of each employee but is not accessible or visible to ICMS users.
What achievements of goals for machine readability have been incorporated into this system? Where is the policy stated? (Machine readable technology enables visitors to easily identify privacy policies and make an informed choice about whether to conduct business with that site.)
The ICMS applications do not provide or allow public access. Only EPA acquisition personnel and IT support staff (Federal and contractor) have access to these applications.
IV. Maintenance of Administrative Controls
Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)
The official contract files consist of the paper documents only. There is not record control schedule for the electronic records.
While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
Contract data is maintained throughout the life of the contract and for a specific time period following contract closeout. All contract actions are reported to FPDS-NG and are monitored by OAM management and acquisition personnel through system generated reports to ensure accuracy and completeness of information. Contract actions in ICMS can be issued only by warranted contracting officers, who are responsible for the accuracy and completeness of information associated with the contract.
Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
The only individuals that can be identified in the system are EPA Federal employees and vendors who have voluntarily provided information to the government-wide Central Contractor Registry (CCR).
Does the system use any persistent tracking technologies?
Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)
The system does not operate under a System of Records notice.