Privacy Impact Assessment for the Research Grant, Cooperative Agreement and Fellowship Application Files
On this page:
- I. Data in the System
- II. Access to the Data
- III. Attributes of the Data
- IV. Maintenance of Administrative Controls
I. Data in the System
-
Generally describe what data/information will be collected in the system.
ORD's National Center for Environmental Research (NCER) provides grants and fellowships to universities and students. NCER uses a system called the Grants and Fellowship System (GFS) to process the applications, assist in peer reviews, and prepare the funding packages. The information which is contained within the system includes the basic contact information from the applications submitted in response to Agency solicitations - RFAs (Request for Applications). The data includes names of the principal investigators, physical address information (usually at the university), email addresses, as well as phone and / or fax numbers.
-
What are the sources and types of the information in the system?
The source of the information is from the application submitted - mainly the SF-424 form. Not all the information from the submitted applications is entered into the GFS. Only the basic information on the univeristy, the title of the research proposal and contatct information of the principal investigators and administrative contacts.
-
How will the data be used by the Agency?
The data is used to process and track the applications submitted to the Agency. These applications are peer reviewed and evaluated for merit and relevancy of research to the various solicitations.
-
Why is the information being collected? (Purpose)
The salient information is needed in order to contact the applicants, track their applications through the process, and contact them with either rejection or award details.
II. Access to the Data
-
Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?
The data is stored on Agency servers and there is no external access to the data. Only access is by NCER staff and on-site contractors who entry some of the data and assist in processing. The GFS access is by userid and password. Additionally, users can only access and work in the module they are assigned or given rights to. For example, the Project Officers can only access the data within the Funding Module.
-
What controls are in place to prevent the misuse of data by those having authorized access?
As stated in the question above, the system is controlled by user roles. User login is also tracked for a short period of time.
-
Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)
No.
-
Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)
No.
-
Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)
No - most of the information required by the forms is not an ORD requirement, but a common form used by other government agencies.
III. Attributes of the Data
-
Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.
The type of data which is kept is basic contact information which is necessary to communicate with the applicants on the status of their proposals.
-
If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.
N/A
-
If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
N/A
-
How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)
Usually the data is retrieved by a particular proposal or grant number which is not related to any personal identifiable data. Information can be retrieved by name, but only but the administrator of the system. There are no Social Security numbers in the system.
-
Is the Web privacy policy machine readable? Where is the policy stated? (Machine readable technology enables visitors to easily identify privacy policies and make an informed choice about whether to conduct business with that site.)
N/A
IV. Maintenance of Administrative Controls
-
Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)
No.
-
While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
After data entry, the data is not changed and is used for that particular year's solicitations. It is not accessed after the awards or rejections have been made. If an award is made for multiple years, the basic information is maintained, but not changaable by the users. Only additional funding packages can be processed for the multiple years.
-
Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
No.
-
Does the system use any persistent tracking technologies?
No.
-
Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)
EPA-36.