Privacy Impact Assessment for the National Service Center for Environmental Publications and National Environmental Publications Internet Site
On this page:
- I. Data in the System
- II. Access to the Data
- III. Attributes of the Data
- IV. Maintenance of Administrative Controls
I. Data in the System
-
Describe what data/information will be collected/contained in the system.
The NSCEP system collects basic contact information (name, address e-mail and phone number) to process requests from the public for EPA hardcopy publications. The NEPIS site collects users e-mail addresses as part of a website error reporting system.
-
What are the sources and types of the data/information in the system?
An individual fills out an electronic order form (name, address, e-mail and phone number, publications requested and special instructions) to request a publication. The individual can also fill out a voluntary electronic error notification form when reporting content problems that will collect the user’s e-mail address.
-
How will the data be used by the Agency?
The requested information is used to mail hardcopy EPA publications to the requestor. The electronic error notification form is used to resolve technical issues and problems reported with the internet site.
-
Why is the information being collected? (Purpose)
The information is collected to provide environmental information to the public at no cost in order to provide transparency, education, and outreach.
II. Access controls for the Data
-
Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?
Internal EPA employees and EPA contractors responsible for fulfilling the requests will have access to the data collected in the system. Appropriate FAR clauses are included in the contract.
-
How have you educated those having authorized access about the misuse of PII data?
Internal EPA employees and EPA contractors receive periodic security training, Privacy Act training, and records management training.
-
Do other systems share or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)
NEPIS Error Reporting E-mails are forwarded to EPA libraries or NSCEP contractor as required to resolve content issues. The persons receiving these emails are required to protect the information and are informed through annual training.
-
Will other agencies, state or local governments share or have access to data/information in this system (includes any entity external to EPA.)? If so, what type of agreement was issued? (i.e., ISA, MOU, etc.)
Other agencies, state or local governments do not have access to the data in the system.
-
Is the data and /or processes being consolidated? If so, are the proper controls in place to protect the data from unauthorized access or use?
The data and/or processes are not being consolidated.
III. Attributes of the Data
-
Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.
The data is collected in order to mail information (hardcopy EPA publications) to the person who has provided the PII data. The information is collected for documents because the requestor wants a hardcopy EPA publication. The electronic error notification form collects the sender’s email address in order to notify the site manager of an error and to contact the person in order to gather additional information to resolve the problem.
-
How is the system designed to retrieve information by the user? Will it be retrieved by personal identifier more than 50% of the time? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)
No.
-
Do individuals have the opportunity to decline to provide information or to consent to particular uses of the requested information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)
Individuals have the opportunity to decline by not requesting hard copy documents. Many EPA publications are available electronically and may be downloaded. Notice is provided via the Agency’s standard Privacy notice link provided at top of order form and bottom of every web page.
-
Where is the Web privacy policy stated?
Privacy notice link provided at top of order form and bottom of every web page
IV. Maintenance of Administrative Controls
-
Has a record control schedule been issued for the records in the system? If so, provide the schedule number. (You may check with the record liaison officer (RLO) for your AA-ship or Tammy Boulware (Headquarters Records Officer) to determine if there is a retention schedule for the subject records.)
This information is not considered a record and therefore there is no record schedule.
-
While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
This data is not retained for further use to distribute documents.
-
Will this system provide the capability to identify, locate, or monitor individuals? If yes, explain.
No.
-
Does the system use any persistent tracking technologies?
No.
-
Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier.)
This internet site is not operated under a System of Records (SOR) Notice since data is not retrieved using a personal identifier.