Privacy Impact Assessment for the PC Label System
On this page:
- I. Data in the System
- II. Access to the Data
- III. Attributes of the Data
- IV. Maintenance of Administrative Controls
I. Data in the System
Describe what data/information will be collected/contained in the system.
The PC Label System (PCLABEL-CF) is a web-based application that maintains mailing and contact information relating to individuals and organizations who have either a stakeholder interest or general interest in the mission, programs, and activities of the EPA Region 1. It contains contact information on individuals who have a) requested either in writing, in person, by phone, fax, or email that they be placed on EPA Region 1's mailing list, or b) been placed on contact/mailing list by EPA Region 1 staff members who entered individuals directly into the database based on contacts they have made in the course of conducting EPA Region 1 business. Access is extended on a request basis to any EPA Region 1 staff and on-site contractors.Information contained in the system includes name, organization name, mailing address, phone and fax numbers, email address, business affiliation and EPA Region 1 programs of interest.
What are the sources and types of the data/information in the system?
The information generally is collected directly from the contact individual from personal meetings, emails, mails, business cards, meetings & events, etc. Other sources of contact information include business publications to which the agency subscribes, and publicly available business and industry directories like the phone book or those found online. The collected information is manually entered into the system by EPA Region 1 staff.
How will the data be used by the Agency?
The information collected is used to create mailing lists of EPA Region 1 stakeholders and constituents who are interested in receiving updates, news releases, educational materials, or other information from the US EPA Region 1. Any information about the organization, industry, or topics of interest will be used to identify individuals and organizations likely to be interested in a particular EPA Region 1 news release, alerts, or other communication.
Why is the information being collected? (Purpose)
The information is collected for the purpose of contacting individuals and others who have either a stakeholder interest or general interest in the mission, programs, and activities of the EPA Region 1. In general, the EPA Region 1 programs mission includes partnerships and educating the public.
II. Access controls for the Data
Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?
The PCLAB-CF system is available on EPA Region 1 Intranet and is hosted within the internally protected network. Access to the system is restricted to EPA Region 1 users only. Access levels are controlled by user roles through the application. The role determines the level of data access available. In addition, only authorized organizations within the EPA Region 1 will be able to access the database, and information in the database will be segregated by organization. Contact information may be shared in accordance with routine uses permitted by the Privacy Act, including disclosures that may be required in response to Freedom of Information Act requests from private individuals or companies, requests from Congress, or in litigation.
EPA Region 1 contractors must comply with Agency policies, as well as FAR 48 CFR 24.014 (1999).
There are no external parties with access to the system.
The public does not have access to the system.
External users who require (and are authorized to receive) data extracts from the system are provided the appropriate information, as needed, by system users.
How have you educated those having authorized access about the misuse of PII data?
Annual security awareness training with a section on data privacy is mandatory for all EPA Region 1 employees and contractors.
Do other systems share or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)
Will other agencies, state or local governments share or have access to data/information in this system (includes any entity external to EPA.)? If so, what type of agreement was issued? (i.e., ISA, MOU, etc.)
No. The information is maintained for EPA Region 1 internal use only.
Is the data and /or processes being consolidated? If so, are the proper controls in place to protect the data from unauthorized access or use?
III. Attributes of the Data
Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.
The data contained in the PCLAB-CF system is used by EPA Region 1 solely for the purpose of distributing information about EPA Region 1 and EPA Region 1-sponsored or cosponsored events. The information contained within the system contains the minimum necessary data to contact members of the public who have stated that they are interested in receiving information on EPA Region 1’s programs and events, or whom EPA Region 1 staff have identified as being potentially interested in this information.
How is the system designed to retrieve information by the user? Will it be retrieved by personal identifier more than 50% of the time? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)
The data in the system is retrieved by logging into the system with a valid user ID and password. The system is designed to retrieve information by mailing list program of interest, address and by name. The data is primarily retrieved by mailing list program of interest. Contact record can be retrieved by name to verify or update the information.
Do individuals have the opportunity to decline to provide information or to consent to particular uses of the requested information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)
The data are collected directly from individuals. Submission of contact information is voluntary and use in mailing lists is understood as standard. Note that when information is used for mailing lists, individuals can respond with corrected information or may request to have their information deleted from the mailing list/system at any time.
IV. Maintenance of Administrative Controls
Has a record control schedule been issued for the records in the system? If so, provide the schedule number. (You may check with the record liaison officer (RLO) for your AA-ship or Tammy Boulware (Headquarters Records Officer) to determine if there is a retention schedule for the subject records.)
Yes, EPA Records Schedule Number 090 - Administrative Support Databases.
While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
The contact data remains in the database until a) the contact data is determined to be incorrect and the contact cannot be reached to make the corrections, b) the user no longer expresses an interest in being on the mailing list, or c) the user requests that it be deleted. When a record is corrected, the corrected information overwrites the incorrect information, which is not retained.
Will this system provide the capability to identify, locate, or monitor individuals? If yes, explain.
Yes, the system can retrieve information by name and address, but, the system does not provide the capability to monitor individuals. The contact data is not used to make any kind of determination regarding the individual. Individuals' name and address information is necessary to create mailing lists.
Does the system use any persistent tracking technologies?
Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier.)