Database Project (SID) Privacy Impact UNITED STATES · PDF fileand/or controlled facilities ... to access through an Investigation Status Report to verify the security ... ☐ Pilot

Security Investigative Database Project (SID) Privacy Impact Assessment (PIA)

UNITED STATES AGENCY FOR INTERNATIONAL DEVELOPMENT

Office of the Chief Information Officer (M/CIO) Information Assurance Division

SEC/PSD/Security Investigative Database Project (SID) Approved Date: April 20, 2015

Additional Privacy Compliance Documentation Required:

☐ None

☐ System of Records Notice (SORN)

☐ Open Data Privacy Analysis (ODPA)

☐ Privacy Act Section (e)(3) Statement or Notice (PA Notice)

☐ USAID Web Site Privacy Policy

☐ Privacy Protection Language in Contracts and Other Acquisition‐Related Documents

☐ Role‐Based Privacy Training Confirmation Possible Additional Compliance Documentation Required:

☐ USAID Forms Management. ADS 505

☐ Information Collection Request (ICR). ADS 505, ADS 506, and ADS 508 Privacy Program

☐ Records Schedule Approved by the National Archives and Records Administration. ADS 502

SEC/PSD/Security Investigative Database Project (SID) Privacy Impact Assessment Date Approved: April 20, 2015

ii

TableofContents

1 Introduction.............................................................................................................................................1

2 Information..............................................................................................................................................1

2.1 Program and System Information ....................................................................................... 1

2.2 Information Collection, Use, Maintenance, and Dissemination ......................................... 4

3 PrivacyRisksandControls................................................................................................................6

3.1 Authority and Purpose (AP) ................................................................................................ 6

3.2 Accountability, Audit, and Risk Management (AR) ............................................................. 7

3.3 Data Quality and Integrity (DI) ............................................................................................ 8

3.4 Data Minimization and Retention (DM) ............................................................................. 9

3.5 Individual Participation and Redress (IP) .......................................................................... 10

3.7 Transparency (TR) ............................................................................................................. 10

3.8 Use Limitation (UL) ........................................................................................................... 11

3.9 Third‐Party Web Sites and Applications ........................................................................... 12


1

1 IntroductionThe USAID Privacy Office is using this Privacy Impact Assessment (PIA) Template to gather information from program managers, system owners, and information system security officers in order to analyze USAID information technology and information collections (systems) that collect, use, maintain, or disseminate personally identifiable information (PII). See ADS 508 Privacy Program Section 503.3.5.2 Privacy Impact Assessments.

2 Information

2.1 ProgramandSystemInformation

2.1.1 DescribethePROGRAManditsPURPOSE.The Personnel Security Division's (SEC/PSD) background investigations program develops policies, criteria, and procedures for USAID regarding the scope and conduct of personnel security investigations as prescribed by E.O. 10450, Security Requirement for Government Employment and E.O. 12968, Access to Classified Information. SEC/PS conducts, controls, and directs (a) personnel security, suitability, and HSPD‐12 background investigations; (b) periodic reinvestigations, special investigations, and limited inquiry investigation; and (c) evaluations of integrity, trustworthiness , and loyalty of USAID employee, prospective employees, and contractors.

SEC/PSD gathers information in order to create investigative records which are used for processing personnel security background investigations to determine eligibility to be awarded a federal security clearance, suitability or fitness determination for federal employment (or federal employment as a contractor), access to federally owned and/or controlled facilities, access to federally owned and /or controlled information systems. If this information is not collected, the Office of Security (SEC) will not be able to make a clearance, suitability or fitness determination and cannot employ these individuals or provide physical or logical access to USAID facilities or systems. Without such accesses, USAID cannot perform its core mission.

2.1.2 DescribetheSYSTEManditsPURPOSE.

The Security Investigative Database (SID) supports the background investigative process owned by the USAID Office of Security (SEC). SID is an enterprise‐level system that automates the creation, tracking, processing and storage of USAID employees' personal background information. It also alleviates the need for the hiring authority to submit the e‐QIP through e‐mail since transmission of the e‐QIP is accomplished system lo system. This system will be deployed world‐wide by allowing hiring authorities (OHR and IG/HR) and designated security liaisons (AMS Officers and EXO Officers overseas) to access through an Investigation Status Report to verify the security clearance of USAID employees.

2.1.3 WhatistheSYSTEMSTATUS?

☐ New System Development or Procurement

☐ Pilot Project for New System Development or Procurement

☒ Existing System Being Updated


2

2.1.3 WhatistheSYSTEMSTATUS?☐ Existing Information Collection Form or Survey OMB Control Number:

☐ New Information Collection Form or Survey

☐ Request for Dataset to be Published on an External Website

☐ Other:

2.1.4 WhattypesofINFORMATIONFORMATSareinvolvedwiththeprogram?☐ Physical only

☐ Electronic only

☒ Physical and electronic combined

2.1.5 Doesyourprogram participateinPUBLICENGAGEMENT?

☐ No.

☐ Yes:

☐ Information Collection Forms or Surveys

☐ Third Party Web Site or Application

☐ Collaboration Tool

2.1.6 Whattypeofsystemand/orTECHNOLOGYisinvolved?

☐ Infrastructure System (Local Area Network, Wide Area Network, General Support System, etc.)

☒ Network

☒ Database

☒ Software

☒ Hardware

☐ Mobile Application or Platform

☐ Mobile Device Hardware (cameras, microphones, etc.)

☐ Quick Response (QR) Code (matrix geometric barcodes scanned by mobile devices)

☐ Wireless Network

☐ Social Media

☐ Web Site or Application Used for Collaboration with the Public

☐ Advertising Platform

☐ Website or Webserver


3

2.1.6 Whattypeofsystemand/orTECHNOLOGYisinvolved?

☐ Web Application

☐ Third‐Party Website or Application

☐ Geotagging (locational data embedded in photos and videos)

☐ Near Field Communications (NFC) (wireless communication where mobile devices connect without contact)

☐ Augmented Reality Devices (wearable computers, such as glasses or mobile devices, that augment perception)

☐ Facial Recognition

☐ Identity Authentication and Management

☐ Smart Grid

☐ Biometric Devices

☐ Bring Your Own Device (BYOD)

☐ Remote, Shared Data Storage and Processing (cloud computing services)

☐ Other:

☐ None

2.1.7 Aboutwhattypesofpeopledoyoucollect,use,maintain,ordisseminatepersonalinformation?

☐ Citizens of the United States

☐ Aliens lawfully admitted to the United States for permanent residence

☒ USAID employees and personal services contractors (including Foreign Service National (FSN) Direct Hires, FSN

Personal Services Contractors, and Third Country National Employees)

☐ Employees of USAID contractors and/or services providers

☐ Aliens

☐ Business Owners or Executives

☒ Others: Spouses of USAID employees/PSC, as appropriate to meet the Federal Investigative Standards

☐ None


4

2.2 InformationCollection,Use,Maintenance,andDissemination

2.2.1 Whattypesofpersonalinformationdoyoucollect,use,maintain,ordisseminate?

☒ Name, Former Name, or Alias

☒ Mother’s Maiden Name

☒ Social Security Number or Truncated SSN

☒ Date of Birth

☒ Place of Birth

☒ Home Address

☒ Home Phone Number

☒ Personal Cell Phone Number

☒ Personal E‐Mail Address

☒ Work Phone Number

☒ Work E‐Mail Address

☒ Driver’s License Number

☒ Passport Number or Green Card Number

☐ Employee Number or Other Employee Identifier

☐ Tax Identification Number

☒ Credit Card Number or Other Financial Account Number

☐ Patient Identification Number

☒ Employment or Salary Record

☐ Medical Record

☒ Criminal Record

☒ Military Record

☒ Financial Record

☒ Education Record

☒ Biometric Record (signature, fingerprint, photo, voice print, physical movement, DNA marker, retinal scan, etc.)

☒ Sex or Gender

☒ Age


5

2.2.1 Whattypesofpersonalinformationdoyoucollect,use,maintain,ordisseminate?

☐ Other Physical Characteristic (eye color, hair color, height, tattoo)

☐ Sexual Orientation

☒ Marital status or Family Information

☐ Race or Ethnicity

☐ Religion

☒ Citizenship

☐ Other:

☐ No PII is collected, used, maintained, or disseminated

2.2.2 Whattypesofdigitalormobiledatadoyoucollect,use,maintain,ordisseminate?

☐ Log Data (IP address, time, date, referrer site, browser type)

☐ Tracking Data (single‐ or multi‐session cookies, beacons)

☐ Form Data

☐ User Names

☐ Passwords

☐ Unique Device Identifier

☐ Location or GPS Data

☐ Camera Controls (photo, video, videoconference)

☐ Microphone Controls

☐ Other Hardware or Software Controls

☐ Photo Data

☐ Audio or Sound Data

☐ Other Device Sensor Controls or Data

☐ On/Off Status and Controls

☐ Cell Tower Records (logs, user location, time, date)

☐ Data Collected by Apps (itemize)

☐ Contact List and Directories

☐ Biometric Data or Related Data


6

2.2.2 Whattypesofdigitalormobiledatadoyoucollect,use,maintain,ordisseminate?

☐ SD Card or Other Stored Data

☐ Network Status

☐ Network Communications Data

☐ Device Settings or Preferences (security, sharing, status)

☐ Other:

☒ None

2.2.4 Whoownsand/orcontrolsthesysteminvolved?

☒ USAID Office: Office of Security, Personnel Security Division

☐ Another Federal Agency:

☐ Contractor:

☐ Cloud Computing Services Provider:

☐ Third‐Party Website or Application Services Provider:

☐ Mobile Services Provider:

☐ Digital Collaboration Tools or Services Provider:

☐ Other:

3 PrivacyRisksandControls

3.1 AuthorityandPurpose(AP)

3.1.1 WhatarethestatutesorotherLEGALAUTHORITIESthatpermityoutocollect,use,maintain,ordisseminatepersonalinformation?

The Authority and Purpose Privacy Control Family ensures that USAID Identifies the Legal Basis that authorize a particular Pll collection or activity; and specifies in its notices the purposes for which PII is collected.

PII is collected under the following authorities:

Executive Order 10450, Security Requirements for Government Employees;

Executive Order I 2968, Access to Classified National Security Information;

Homeland Security Presidential Directive 12 (HSPD‐12), Policy for Common Identification Standard for Federal Employees and Contractors;

Executive Order 13526, Classified National Security Information;

Executive Order 12333, United States Intelligence Activities;


7

3.1.1 WhatarethestatutesorotherLEGALAUTHORITIESthatpermityoutocollect,use,maintain,ordisseminatepersonalinformation?

Executive Order 1338I , Strengthening Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information;

Executive Order 13488, Granting Reciprocity on Excepted Service and Federal Contractor Employee Fitness and Reinvestigation Individuals in Positions of Public Trust; and

The Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108‐458).

3.1.2 WhyisthePIIcollectedandhowdoyouuseit?

Information is collected to determine suitability or fitness for government employment, eligibility or continued eligibility for access to classified information and issuance of a federal credential for physical, and/or logical access to USAID facilities or information.

3.1.3 HowwillyouidentifyandevaluateanypossiblenewusesofthePII?

New uses would need to be approved in advance by the system owner and arc compared to the routine uses outlined in the SORN and on e‐QIP.

3.2 Accountability,Audit,andRiskManagement(AR)

3.2.1 Doyouuseanydatacollectionformsorsurveys?

☐ No:

☒ Yes:

☒ Form or Survey (Please attach)

☐ OMB Number, if applicable:

☐ Privacy Act Statement (Please provide link or attach PA Statement)

☒ Other: Data is also collected through inquiries and vouchers; other USAID‐generated forms are used to collect clarifying /additional information from the subject on an "as needed” basis. Copies of the SF forms are located on OPM's website.

3.2.3 Whoownsand/orcontrolsthepersonalinformation?

☒ USAID Office: SEC/Personnel Security Division

☐ Another Federal Agency:

☐ Contractor:

☐ Cloud Computing Services Provider:

☐ Third‐Party Web Services Provider:


8

3.2.3 Whoownsand/orcontrolsthepersonalinformation?

☐ Mobile Services Provider:

☐ Digital Collaboration Tools or Services Provider:

☐ Other:

3.2.8 DoyoucollectPIIforanexclusivelystatisticalpurpose?Ifyoudo,howdoyouensurethatthePIIisnotdisclosedorusedinappropriately?

☒ No.

☐ Yes:

3.3 DataQualityandIntegrity(DI)

3.3.1 HowdoyouensurethatyoucollectPIItothegreatestextentpossibledirectlyfromthesubjectindividual?

To the greatest extent possible, information is collected directly from the subject and available sources as defined in the Federal Investigative Standards. Information is completed by the individual in a security web‐based application owned by OPM which requires the individual to log in and securely complete security questionnaires and upload additional documents for direct release and submission to the Office of Security (SEC). When information is collected from an available source, the source is advised of the Privacy Act by a credentialed Special Agent and the information or details are included in a report of investigation, which is then uploaded to the Secure Investigative Portal and transmitted directly to a SEC Investigative Program Manager for inclusion into the security file.

3.3.2 Howdoyouensure,tothegreatestextentpossible,thatthePIIisaccurate,relevant,timely,andcompleteatthetimeofcollection?

To the greatest extent possible, information is accurate, relevant, and timely as it relates to coverage periods outlined in the Federal Investigative Standards. For any unfavorable clearance, fitness, or suitability determination, all applicants and employees are afforded due process rights, which includes the reasons for the decision.

3.3.3 Howdoyoucheckfor,andcorrectasnecessary,anyinaccurateoroutdatedPIIinthesystem?

When notified by the subject or sources that the information is inaccurate or if uncovered during a subsequent investigation.


9

3.4 DataMinimizationandRetention(DM)

3.4.1 WhatistheminimumPIIrelevantandnecessarytoaccomplishthelegalpurposeoftheprogram?

If any and all PII elements needed to conduct an investigation are not collected, the Office of Security (SEC) will not be able to make a clearance, suitability, or fitness determination and cannot employ these individuals or provide physical or logical access to USAID facilities or systems. Without such accesses, USAID cannot perform its core mission, as mandated by Federal Investigative Standards. To verify record information when conducting an individual personnel security investigation, the minimum PII elements needed are the: SSN, Full Name, and Date and Place of Birth. The elements of the investigation are mandated by OPM on the standard e‐QIP form and releases, the Federal Adjudicative Standards, and the Federal Investigative Standards. If SEC is unable to collect and use the information, it cannot render recommendations or decision for suitability, fitness, and security clearances necessary to hire and retain staff.

3.4.3 Doesthesystemderivenewdataorcreatepreviouslyunavailabledataaboutanindividualthroughaggregationorderivationoftheinformationcollected?IsthePIIrelevantandnecessarytothespecifiedpurposesandhowisitmaintained?

☒ No.

☐ Yes:

3.4.4 Whattypesofreportsaboutindividualscanyouproducefromthesystem?Reports are produced internally in SEC for the purpose of managing and tracing case information, actions, and assignments. Reports pertaining to an individual are used to determine eligibility/continued eligibility for access to classified information, determination for suitability/fitness for government employment, or eligibility for issuance of a federal credential for physical/logical access to USAID. Information reported to the Director of National Intelligence regarding the Agency's timelines for producing reports includes only a reference case number and time frames for each phase of the investigation.

3.4.6 Doesthesystemmonitorortrackindividuals?

(If you choose Yes, please explain the monitoring capability.)

☒ No.

☐ Yes:


10

3.5 IndividualParticipationandRedress(IP)

3.5.1 DoyoucontactindividualstoallowthemtoconsenttoyourcollectionandsharingofPII?

Individuals consent to a background investigation as part of the hiring process (e.g., clearance/background investigation requirements are contained in the vacancy announcement, contract, or solicitation). In addition, all applicants, employees, and contractors that undergo a background investigation sign releases to consent to the collection as part of e‐QIP. If an individual declines (and does not sigh the required releases), the investigation is not conducted and the hiring authority notified. There are no new uses for the information; this would require a modification to the SORN or additional specific legislation, executive order, or law.

3.5.2 Whatmechanismdoyouprovideforanindividualtogainaccesstoand/orto

amendthePIIpertainingtothatindividual?

Individuals may request access to their investigative file with a request to the FOIA office as outlined in ADS 507, Freedom of Information Act and ADS 508, Privacy Policy. Record amendments requests are processed in accordance with ADS 508. Access to investigative information in accordance with the "routine uses" described in e‐ QIP and on the releases is controlled by a SEC Standard Operating Procedure. A record of the release of the information is maintained by the File Release Program Manager (Chief, Adjudications Branch), which included all elements below.

3.5.3 IfyoursysteminvolvescloudcomputingservicesandthePIIislocatedoutsideofUSAID,howdoyouensurethatthePIIwillbeavailabletoindividualswhorequestaccesstoandamendmentoftheirPII?

The system is located in the data center which houses USAID Private Cloud. An individual can submit a written request to a Security Specialist to access or amend PII data collected and stored in the USAID Private Cloud.

The Pll documents are not accessible to external sources/or individuals of an investigation.

There are a multitude of defense and protection mechanisms to cover records and systems controlled by third‐party service providers and/or subcontractors to contractors.

3.7 Transparency(TR)

3.7.1 Doyouretrieveinformationbypersonalidentifiers,suchasnameornumber?

(If you choose Yes, please provide the types of personal identifiers that are used.)

☐ No.

☒ Yes: Name, date of birth, and social security number


11

3.7.2 Howdoyouprovidenoticetoindividualsregarding?

1) The authority to collect PII:

2) The principal purposes for which the PII will be used:

3) The routine uses of the PII:

4) The effects on the individual, if any, of not providing all or any part of the PII:

This is provided in e‐QIP and by the hiring authority.

3.7.3 IsthereaPrivacyActSystemofRecordsNotice(SORN)thatcoversthissystem?

☐ No

☒ Yes: This notice has been published and is on file with the M/CIO/Privacy Office. Federal Register Volume 78,

No. 84 Wednesday, May 1 , 2013.

3.7.4 Ifyoursysteminvolvescloudcomputingservices,howdoyouensurethatyouknowthelocationofthePIIandthattheSORNSystemLocation(s)sectionprovidesappropriatenoticeofthePIIlocation?

The SORN is held with the USAID Privacy Office and referenced in the Federal Register.

3.8 UseLimitation(UL)

3.8.1 WhohasaccesstothePIIatUSAID?

This question is answered the previous section (administrative controls 5.2.3, standard operating procedures 5.2.5, training 5.2.7, and the use of user agreements 5.2.7).

3.8.3 WithwhomdoyousharethePIIoutsideofUSAID?Andwhether(andhow,if

applicable)youwillbeusingthesystemorrelatedwebsiteorapplicationtoengagewiththepublic?

The requirements to provide information on individuals investigated by USAID. Sharing agreements or written requirements (MOU 's) to provide information with DNI, OPM, and FBI arc in place. In addition, OPM houses the system (e‐QIP) where all investigative data is initially collected. OPM also owns the Central Verification System used by all agencies to report clearances and the "Secure Portal" for transmitting investigative files. The requirements to provide information on individuals investigated by USAID.


12

3.8.4 DoyousharePIIoutsideofUSAID?Ifso,howdoyouensuretheprotectionofthePII1)asitmovesfromUSAIDtotheoutsideentityand2)whenitisused,maintained,ordisseminatedbytheoutsideentity?

☐ No.

☒ Yes: The requirement s to provide information on individuals investigated by USAID. Sharing agreements or written requirements (MOU 's) to provide information with DNI, OPM, and FBI are in place. In addition, OPM house the system (e‐QIP) where all investigative data is initially collected. OPM also owns the Central Verification System used by all agencies to report clearances and the "Secure Portal" for transmitting investigative files.

3.9 Third‐PartyWebSitesandApplications

3.9.1 WhatPIIcouldbemadeavailable(eventhoughnotrequested)toUSAIDoritscontractorsandserviceproviderswhenengagingwiththepublic?


13

AppendixA. LinksandArtifacts

PrivacyComplianceDocumentsorLinksA.1

☐ None. There are no documents or links that I need to provide.

☐ Privacy Threshold Analysis (PTA)

☐ Privacy Impact Assessment (PIA)

☐ System of Records Notice (SORN)

☐ Open Data Privacy Analysis for Posting Datasets to the Public (ODPA)

☐ Data Collection Forms or Surveys

☐ Privacy Act Section (e)(3) Statements or Notices

☐ USAID Web Site Privacy Policy

☐ Privacy Policy of Third‐Party Web Site or Application

☐ Privacy Protection Language in Contracts and Other Acquisition‐Related Documents