Jump to main content.

Superfund Cost Recovery Package Imaging and On-Line System (SCORPIOS)

I. Data in the System

  1. Generally describe what information will be collected in the system.

    Financial data and associated documents (images) are collected, major groupings include travel, payroll, and voucher data.

  2. What are the sources and types of the information in the system?

    Much of the data in SCORPIOS is sourced from the Financial Data Warehouse (FDW), which is sourced by multiple sub-systems including the Integrated Financial Management System (IFMS), Contract Payment System (CPS), EPAYS, CPARS, PeoplePlus, CERCLIS, and Bankcard systems. In addition, data from sub-systems such as Travel Manager and IDOTS are also used.

  3. How will the data be used by the Agency?

    Data is used to produce cost packages, which are groups of reports detailing government and contractor expenditures related to Superfund cleanup activities.

  4. Why is the information being collected? (Purpose)

    To support EPA's cost recovery efforts.

II. Access to the Data

  1. Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?

    Internal parties accessing SCORPIOS data include regional cost accountants and headquarters cost accountants and policy makers. External parties accessing SCORPIOS data include contractors supporting regional and headquarters efforts, as well as information technology (IT) support staff. SCORPIOS support contract references FAR 52.204-2 Security Requirements (Aug 1996).

  2. What controls are in place to prevent the misuse of data by those having access?

    The SCORPIOS application's security architecture includes a robust role-based user authorization module that allows system administrators to use and modify pre-defined groups or create customizations based on need. In addition, audit trails are in place that record the user id, the updated date and time for a record and the created date and time for a record.

  3. Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)

    No.

  4. Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)

    No.

  5. Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)

    n/a

III. Attributes of the Data

  1. Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.

    Cost data is integral to cost recovery efforts, without detailed cost information EPA would risk less money being recovered.

  2. If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.

    Taken from June 2005 SCORPIOS Security Plan - Section 2.3 Because of EPA's decentralized operations, responsibility for protecting SCORPIOS against unauthorized on-line access is distributed between many organizational units and individuals within EPA. These organizations and individuals, and their various roles and responsibilities, are discussed below.

    Application rules have been defined for all personnel accessing the SCORPIOS application. These application rules are distributed to all SCORPIOS sites, along with the SCORPIOS user's guide. Application rules are also distributed when a user requests access to SCORPIOS. Current versions of the rules and the Guides are available electronically on each SCORPIOS server. OEI and OCFO, as part of the OCFO Information Security Program (InfoSec Program), provide general security awareness training.

  3. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.

    Process consolidation falls under same controls as data consolidation above.

  4. How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)

    Data can be retrieved by a number of different methods, including personal identifiers such as name and SSN. This is normally associated with payroll information.

  5. Is the Web privacy policy machine readable? Where is the policy stated? (Machine readable technology enables visitors to easily identify privacy policies and make an informed choice about whether to conduct business with that site.)

    N/A, this system is not accessible via Web, it is only available as a client/server application.

IV. Maintenance of Administrative Controls

  1. Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)

    N/A

  2. While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

    N/A

  3. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

    No.

  4. Does the system use any persistent tracking technologies?

    No.

  5. Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. A list of Agency SORs are posted at http://www.epa.gov/privacy/notice/. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)

    N/A

Local Navigation

Jump to main content.