We've made some changes to EPA.gov. If the information you are looking for is not here, you may be able to find it on the EPA Web Archive or the January 19, 2017 Web Snapshot.

Privacy Impact Assessment for the Lead-based Paint System of Records

On this page:


I. Data in the System

  1. Generally describe what information will be collected in the system.

    The Lead-based Paint System Of Records (LPSOR) will contain information collected from several application and notification forms involving certification, accreditation, and training for, and performing of, lead-based paint activities. Included within these records will he personal information collected about individuals, including name, social security number (SSN), home address, phone number, date of birth, work related information, signature, course test scores, submitted fees, and certificates. Also included will be information on firms which apply for certification to perform lead-based paint activities, fines which apply for accreditation to perform lead-based paint training, and properties where lead-based paint abatement activities are to be performed. This information will include identifying and location information.

  2. What are the sources and types of the information in the system?

    Sources for the privacy-related information include EPA Forms 8500-2, "Application For Individuals To Conduct Lead-Based Paint Activities," 8500-27, "Application For Firms To Conduct Lead-Based Paint Activities," and 8500-25, "Accreditation Application For Training Programs." The information derived from these forms concerns individuals who have either applied for certification or who have identified themselves as representatives on behalf of firms which conduct or which receive accreditation to provide training in lead-based paint activities.

    Other sources include information derived from three required notifications submitted to EPA pursuant to 4 0 CFR part 7,15 (see "Lead; Notification Requirements for Lead-Based Paint Abatement Activities and Training," 69 FR 18489, April 8, 2004). The first form requires firms certified under 40 FR 745.226 to provide notification to the Agency prior to conducting lead-based paint abatement activities. The other two forms require training programs accredited under 40 FR 745.225 to provide notification to the Agency prior to and then following conducting lead-based paint activities training courses. The data derived from these notifications include information on individuals who supervise lead abatement projects and prepare the notification to EPA prior to doing so; or serve as instructors for, manage other instructors in, or attend training as students of, these accredited programs.

    Finally, other sources of information may include supplementary documents obtained by Regional offices in the application approval process.

  3. How will the data be used by the Agency?

    EPA will use the data to process the applications, determine the status of applications, search for applications, generally support the certification/accreditation processes, generate reports containing certification/accreditation information, develop badges and certificates, and support compliance and enforcement activities.

  4. Why is the information being collected (purpose)?

    The data will be used to certify individuals and firms to conduct lead-based paint activities, accredit training providers to conduct lead-based paint training, and gauge compliance with program requirements.

Top of Page


II. Access to the Data

  1. Who will have access to the data in the system (inside and outside parties)?

    Those having access to system data include EPA Headquarters and Regional staff who manage the Federal Lead-Based Paint program, as well as Federal program contractors and their employees who give support to Headquarters and Regional staff under the program. EPA contractors must comply with Agency policies, as well as FAR 48 CFR 24.104 (1999). See also id. 52.224 - 1 to - 2.

  2. What controls are in place to prevent the misuse of data by those having access?

    Electronic system users are provided a unique user identification (ID) will] personal identifiers. All LPSOR electronic access users must read and sign the "Security Related Informational Material" memorandum which sets out an overview of the system and the rules for its use, instructs users on the risks and vulnerabilities within the system, and informs users about their accountability for the system. LPSOR users are informed of their responsibilities in protecting the records, and are subject to severe disciplinary measures for any misuse up to and including criminal prosecution. For all records, both electronic and paper, physical facilities are secured through building security with computerized badge-reading systems for user access. Paper records are maintained in secure locked areas within locked cabinets.

  3. Do other systems share data or have access to data in this system? If yes, explain.

    No

  4. Who will be responsible for protecting the privacy rights of the individuals affected by the interface (i.e., System Administrators, System Developers, System Managers)?

    There is no data sharing in the system.

  5. Will other agencies, state or local governments share data or have access to data in this system (includes any entity external to EPA)?

    No.

  6. Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)

    Yes. On paper application and notification forms, required Privacy Act Statement is included. With electronic application/notification submissions, the Privacy Act Statement appears as a disclaimer advising users of the option to submit the requested information through use of the paper application process.

  7. How will the information be secured?

    Electronic system users are provided a unique user ID with personal identifiers. All LPSOR electronic access users must read and sign the "Security Related Informational Material" memorandum which sets out an overview of the system and the rules for its use, instructs users on the risks and vulnerabilities within the system, and informs users about their accountability for the system. LPSOR users are informed of their responsibilities in protecting the records, and are subject to severe disciplinary measures for any misuse up to and including criminal prosecution. For all records, both electronic and paper, physical facilities are secured through building security with computerized badge-reading systems for user access. Paper records are maintained in secure locked areas within locked cabinets.

Top of Page


III. Attributes of the Data

  1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed?

    Yes. LPSOR, in both its electronic and paper components, is uniquely designed to be used as a reference tool in support of the processing of certification/accreditation applications and required notifications. In this way, the records and data stored in the system are used to accomplish only these statutory/regulatory objectives.

  2. If data are being consolidated, what controls are in place to protect the data from unauthorized access or use?

    Electronic system user's are provided a unique user ID with personal identifiers. All LPSOR electronic access users must read and sign the "Security Related lnformational Material" memorandum which sets out an overview of the system and the rules for its use, instructs users on the risks and vulnerabilities within the system, and informs users about their accountability for the system. LPSOR users arc informed of their responsibilities in protecting the records, and are subject to severe disciplinary measures for any misuse up to and including criminal prosecution. For all records, both electronic and paper, physical facilities are secured through building security with computerized badge-reading systems for user access. Paper records are maintained in secure locked areas within locked cabinets.

  3. If processes arc being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.

    Processes are not being consolidated.

  4. How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain.

    Yes. The electronic data in LPSOR may only be retrieved by logging into the system with a user ID and password. Hard copy records are retrieved through established building pass ID security systems. Data may be retrieved by applicant name or the application number or application identification number that the FLPP Database assigns.

  5. What achievements of goals for machine readability have been incorporated into this system? Where is the policy stated? (Machine readable technology enables visitors to easily identify privacy policies and make an informed choice about whether to conduct business with that site.)

    This question is not applicable. There is no public access to LPSOR.

Top of Page


IV. Maintenance of Administrative Controls

  1. What are the retention periods of data in this system?

    Records are retained and disposed of in accordance with EPA's records schedule 089 and the National Archives and Records Administration General Records Schedule (GRS) 23/8. Application records maintained in the system will be deleted/destroyed 2 years after the date of the last entry.

  2. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented?

    The procedures for eliminating the data are in maintained in EPA's records schedule 089 and GRS 23/8.

  3. While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

    The information originates from the applicants/notifiers themselves, so it is to their benefit to provide accurate information and keep it updated by notifying EPA of any changes.

  4. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

    Yes, by their name, home address, telephone number, SSN, and photograph.

  5. Is there any persistent tracking technology available?

    There are no "persistent tracking technology" tools used for the FLPP database.

  6. Under which System of Records notice (SOR) does the system operate? Provide the name of system and number if applicable. (A SOR is any collection of records under the control of the Agency in which the data are retrieved by a personal identifer. A personal identifier is a name, SSN, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual. The Privacy Act Officer will ensure that a SOR is developed for your system if necessary.)

    The Lead-based Paint System of Records ("LPSOR"), EPA-54.

  7. If the system is being modified, will the SOR require amendment or revision? Explain.

    No. Since this is a new system of records, there are no modifications.

Top of Page