Privacy Impact Assessment For The EP&R/FEMA Privacy Act "Disaster Recovery Assistance Files" System of Records This Privacy Impact Assessment (PIA) is divided into two parts to facilitate Review. Part A is done in the DHS standard format. Part B provides supplemental background and process information pursuant to this Privacy Impact Assessment within the context of the National Emergency Management Information System (NEMIS) Individual Assistance (IA) module for the Internet. Part A: Disaster Recovery Assistance Files Privacy Impact AssessmentPRIVACY IMPACT ASSESSMENT Information Collections Employing Electronic Capabilities Date of Assessment: September 17, 2004 FY:2004 Information Collection Control Number: OMB 1660-0002 Title: Individual Assistance Automation Methods Is this information collection doing any of the following? (PLEASE MARK ALL THAT APPLY) ____ A. Creating any new collection of personal information? __X_ B. Employing, developing, and/or procuring any new technology or system that can store and thus reveal a person's identity? _____ C. Creating new database(s) or view(s) from old databases or systems? SECTION 1. QUESTIONS ABOUT THE DATA AND ITS PURPOSES 1.1 What information is to be collected? (Provide a description of the information being sought from respondents. Specify whether the information is collected directly from individuals, organizations, or local/state/federal governments, and the nature of its content, i.e. personal, financial.) Please see the attached document for all of the specifics that address each of the PIA's questions.* The information collected is identified in Appendix A of this document. This information is collected directly from the individual and may be both personal and financial in nature. 1.2 Why is the information being collected? Is it relevant and necessary to the purpose for which the system is being designed? (Provide the statutory citation or regulation that authorizes this information collection, i.e. Public Law # and Section) This is a proposed modification of an already existing system of records covered by the provisions of the Privacy Act, the "Disaster Recovery Assistance Files" (66 FR 195, October 9, 2001). The need for this information collection is pursuant to FEMA's mission to provide assistance to disaster victims of Presidentially declared disasters. The legal basis and authorization are: the Robert T. Stafford Disaster Relief and Emergency Assistance Act, as amended by Public Law 106-390, October 30, 2000; United States Code Title 42. The Public Health And Welfare Chapter 68. Disaster Relief [As amended by Pub. L. 103-181, Pub. L. 103-337, and Pub. L. 106-390; Pub. L. 106-390, October 30, 2000, 114 Stat. 1552 - 1575); The Robert T. Stafford Disaster Relief and Emergency Assistance Act P.L. 93-288 (42 U.S.C. 5121-5206), as amended and 44 Code of Federal Regulations (44 CFR) Subchapter D-- Disaster Assistance, Part 206--Federal Disaster Assistance for Disasters Declared on or After November 23, 1988, the Disaster Mitigation Act of 2000. In addition, it complies with the provisions of Title IV of the Personal Responsibility and Work Opportunity Reconciliation Act of 1996, 8 U.S.C. §§1601 et seq., which governs eligibility for disaster assistance for applicants who are not U.S. citizens. 1.3 What is the intended use of the information? (Specify if the information will be used as a qualifier [i.e. benefits, admissions], The information collected from individuals enables FEMA to record losses suffered from disasters and emergencies, and to determine whether an applicant is eligible for assistance. This information is also relevant to prevent the duplication of disaster benefits among FEMA, Federal and state and local disaster agencies, and to provide an understanding of the makeup of a household unit. The information collected is subjected to a set of automated business rules for the purpose of ensuring that victims in a disaster are handled in a standard and equitable manner. The business rule set is reviewed frequently and managed by the program office. 1.4 What are the sources of the information? (Specify where and how are you acquiring the information) The disaster victims submit their own personal information to FEMA. The disaster victims will register with FEMA in one of three ways: paper, interviewed by a call center teleregistrars who record callers' information in the NEMIS system; and the proposed method, which is the subject of this PIA, of allowing applicants to self-register electronically via the Internet, and enter their information directly in the NEMIS system via a secure point-to- point secure socket layer tunnel through the Internet. In each method (paper, call center, or self-service via the Internet), the same information will be collected. FEMA call center staff now provide processing status and make updates to individual applications in response to applicant call-in requests. It is proposed that Applicants, who have previously registered, been authenticated, and given a user identification, password, and personal identification number, be given access to the same status information and be permitted to make the same updates to their applications in the NEMIS via a secure point-to- point secure socket layer tunnel through the Internet. This proposal would enable an authorized disaster assistance applicant to have the ability to access limited information and to update their application electronically. 1.4.1 Data Collection Instrument(s) (Specify, form(s) #, questionnaires, etc.) The FEMA Form 90-69, "Disaster Assistance Registration/Application" is the basis of the data collection. The OMB Control Number is 1660-0002. This form is included in Part B of this PIA submission. 1.5 How will the information be checked for accuracy? The applicant is given an opportunity to review their information at the end of the application process. Where appropriate, the applicant is provided with a list of possible answers from which to choose. In addition, the applicant is provided with help text for every requested input field. Applicants receive a copy of their completed application in the mail. 1.6 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected? Not applicable. 1.7 Will the newly derived data be placed on the individual's record? Not applicable. 1.8 Can the system make new determinations about an individual that would not be possible without the new data? No. 1.9 How will the newly derived data be verified for relevance and accuracy? Not applicable, the system does not derive any new data. 1.10 Are the data elements described in detail and documented? If yes, what is the name of the document? Yes, the FEMA Form 90-69, "Disaster Assistance Registration/Application" is the basis for the data. The OMB Control Number is 1660-0002. Appendix A contains a list of the application data elements. SECTION 2: QUESTIONS ABOUT REDRESS 2.1 What opportunities do respondents have to decline to provide information? Individuals may choose not to use the Internet method of data submission. However, regardless of the method, certain information is required in order to determine eligibility. Individuals always have the right not to apply for Federal disaster assistance. In addition, registrants have the opportunity at any stage of the registration process to decline to provide basic identifying information and, thus to withdraw their application for assistance. However, individuals are informed that in order to process their request for disaster assistance, to ensure that the agency complies with applicable laws and regulations, and that no duplication of benefits occurs with other Federal and state organizations or insurance providers, registrants must provide all required information. Further, the individuals may at any time contact FEMA regarding information on their application. All decisions are made based on data in the individual's record, and are communicated to the individual via written correspondence. 2.2 What opportunities do respondents have to consent to particular uses of the information? Applying for disaster assistance constitutes consent to the collection of this information. The information provided is only used to provide disaster assistance and to prevent duplication of benefits in accordance with the routine uses listed under the existing Privacy Act system of records, the "Disaster Recovery Assistance Files." 2.3 How do individuals grant consent concerning how their information will be used or shared? The submission of an application is voluntary. A Privacy Act statement is presented to the applicant upon entering the Internet site that informs the registrant with whom this information may be shared in accordance to the routine uses of the existing system of records identified above in 2.2. Through this electronic method, the registrants are also required to check a box that indicates that they have read the Privacy Act notice presented by the system and agree to its provisions. This same Privacy Act Statement is read to those registering via the telephone or is displayed on the paper application, which the applicant signs and dates. 2.4 What are the procedures for individuals to gain access to their own information, if applicable? A copy of the completed application, FEMA Form 90-69, is mailed to the applicant, once the application is entered in the NEMIS IA Module. Additionally at the time of inspection, the applicant is asked to sign the application and the Privacy Act statement. Individuals may contact FEMA via published disaster assistance help lines to request information about their application at any time. In addition, an individual may contact FEMA's Privacy Officer with questions or concerns. Rena Y. Kim, Privacy Act Officer, room 840, 500 C Street, SW, Washington, DC 20472; telephone (202) 646-3949. 2.5 What are the procedures for correcting erroneous information? There are several ways an applicant can correct erroneous information. The first method is for the applicant to call the FEMA IA Helpline and have the attendant make the necessary corrections. The second is to provide the disaster housing inspector with corrections. The field inspectors have a limited capability to make corrections to erroneous information; consequently, most corrections are best done via the FEMA IA Helpline. We propose to add a third method to allow the applicant electronically to access and update a few key fields of their own record (PIN) assigned to them by FEMA via the Internet. In implementing this method, NIST 800-37 Level 2 Assurance tokens will be required to ensure protection of the data. In addition, the individual can also contact the FEMA Privacy Officer. . SECTION 3: QUESTIONS ABOUT ACCESS TO THE DATA 3.1 Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others) and is it documented? Applicants will have access to all of the data they provide for their own application through the printed Form 90-69 that is mailed to them. Through this electronic module, we propose to give the applicant access to their own information (such as the status of required documentation, inspection status, or SBA status) via the Internet using the Applicant Inquiry/Applicant Update application after FEMA assigns them limited access by password and a PIN. All access to the personal information/data is managed via a role- based access control system to ensure that only authorized FEMA employees have access to the data for "official use" only. Authorized users are unchanged by our proposal to add the electronic access/Internet method of collecting personal information from disaster applicants. A more in-depth discussion is provided in Part B of this PIA submission. FEMA employees and FEMA contractors will have access to perform data-based actions in accordance with their authorized role for official purposes only. Authorized information technology (IT) professionals that handle the operations and maintenance of the system will have limited access to the system to support trouble shooting of technical system issues encountered on a day- to-day basis. Developers do not have access to the system except as authorized and approved on an individual case-by-case basis for troubleshooting purposes only. Where appropriate, applicants are referred to other Federal agencies such as the Small Business Administration (SBA) for disaster loan processing. The DHS Office of the Inspector General may request and be given access to the data. FEMA's authorized Individual Assistance program staff and authorized disaster housing inspection contractors have access to the information collected in order to further assist the applicants for official purposes only. In addition, certain new "routine uses" in the Amendment will be added to the existing Privacy Act system of records that will further specify who will have access to this information. The proposed "routine uses" include: 1) Information sharing with voluntary agencies active in current disasters; 2) Requests for payment to the U.S. Department of Treasury pursuant to the Debt Collection Improvement Act of 1996, 31 U.S.C. Section 3325(d) and 7701c(1); 3) Billing states for the applicable non-Federal cost share under the Individuals and Households Program; 4) With FEMA contractors who provide support services for the Individuals Assistance (IA) Program; and 5) Emergency evacuation plans of FEMA's manufactured housing units' occupants. 3.2 How will access to the data by a user be determined? Applicants will have limited access to their own information, which they have submitted via the Internet, and to the status of their own information (e.g. the status of required documentation, inspection status, or SBA status) regarding the processing of their own application. Access depends on FEMA assigning applicants a properly authenticated user id, password, and PIN. No individual applying for disaster assistance will have access to the entire database via the Internet. Applicants will be registered and authenticated in accordance with NIST Level 2 Assurance guidelines. With the exception of Database Administrators, all other FEMA user access is managed via automated role-based access controls for official use only. The user's access into the system is restricted by the official roles assigned to that user by virtue of his or her organizational position within FEMA. 3.3 Are criteria, procedures, controls, and responsibilities regarding access documented? Yes, each position and all roles assigned to the position as well as the definition of each role is documented, managed, and an audit trail is maintained in the automated access control system. 3.4 Will users have role-based access to data on the system limiting them to some but not all of the data? Yes, all internal users are assigned official role-based access based on their official position in FEMA. The role-based assignment is enforced through automation based on each FEMA employee's organizational responsibilities. As already stated, Internet users (applicants) are not granted access to the entire database, only limited access to their own information in an environment controlled by three firewalls. 3.5 What controls are in place to prevent the misuse (e.g. browsing, expired privileges, etc.) of data by those having access? 1. As already stated, the individual applicants are granted only limited electronic access via the Internet only to their own information. Internet users are not granted access to the entire Individual Assistance database. The individual applicant's limited access is controlled by three firewalls. The applicant must use the NIST Level 2 Tokens to gain access to his/her record. 2. For users who must process and administer the data in the system (e.g. FEMA employees and authorized contractors), a complete security and access control system is in place which complies with DHS Security guidelines and which includes automatic revocation of access upon expiration of privileges, role-based access controls that prevent browsing, etc. 3. A time-out feature will drop the connection after a designated idle period to protect against users leaving their computer unattended for extended periods of time. 4. Managers are responsible for removing access to their respective systems when an individual leaves employment with FEMA. 5. Access to the system is role-based; therefore, FEMA users have access only to the portion of the data required to perform their official duties. 6. NIST Security Guidelines are followed. 7. FEMA Enterprise Operations and the DHS or FEMA? Office of Cyber Security are able to monitor system use and determine whether information integrity has been compromised and whether corrective action by the Office of the CIO is necessary. Procedures are compliant with Title III of the E-Government Act of 2000 (Federal Information Security Management Act). 8. Because unauthorized attempts to upload information or change information are prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986, and the National Information Infrastructure Protection Act, FEMA employs software programs that monitor host and network traffic to identify unauthorized attempts to upload or change information or otherwise cause damage. 3.6 Do other systems share data or have access to data in this system? If yes, explain. Include a discussion of who will be responsible for protecting the privacy rights of individuals affected by the interface? Yes, the applicant's name, address, and bank account information is sent to the U.S. Department of Treasury, which issues payments to eligible applicants. FEMA and the States are partners in the provision of individual disaster assistance. Since the Disaster Mitigation Act of 2000, FEMA serves as an agent of most States in providing for "Other Needs Assistance." In cases where the State chooses to process "Other Needs Assistance", selected applicant information is provided to them. In each case, a well-defined approval process is established. A state is granted only limited access; that is, a state can only access its residents' information. The Small Business Administration (SBA) provides loan assistance to applicants who may not be eligible for Individual Assistance from FEMA. SBA's Disaster Loan Management System accesses NEMIS to check for the duplication of benefits. FEMA has signed a Memorandum of Understanding and an Interface Security Agreement with SBA to ensure that it protects the privacy and the integrity of applicant's data. The SBA is granted limited access only to the information necessary to administer their program. 3.7 Will other agencies share data or have access to data in this system (International, Federal, State, Local, Other)? No. Only limited sharing of selected data is provided to the SBA and to States as outlined in 3.6 above. 3.8 How will the data be used by these other agencies? See 3.6 above. 3.9 Who is responsible for assuring proper use of the data by other agencies? Signed Memoranda of Understanding and Interface Security Agreements govern the use of the data by other agencies. FEMA's Office of the Chief Financial Officer signs agreements with Treasury. The Chief Information Officer (CIO) of each agency signs the Memorandum of Understanding between FEMA and SBA. 3.10 How will the system ensure that other agencies only get the information they are entitled to? The required information is documented in the Agreements described above between the Federal agencies and FEMA. The information is processed through documented systems interfaces specific to each agreement to ensure that each agency can access only the information necessary for their mission. SECTION 4: QUESTIONS ABOUT MAINTENANCE OF ADMINISTRATIVE CONTROLS 4.1 Are the data secured consistent with agency requirements under the Federal Information Security Management Act? Specifically: 4.1.1 Affirm that the agency is following IT security requirements and procedures required by federal law and policy to ensure that information is appropriately secured. The Agency procedures are consistent with the requirements of the Federal Information Security Management Act (FISMA). FEMA is committed to protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction in order to provide integrity, confidentiality, and availability of the information. FEMA is completing a Certification and Accreditation on the NEMIS system. In addition, the password protection policies are in accordance with NIST Special Publication 800-63, Electronic Authentication Guideline. 4.1.2 Acknowledge that the agency has conducted a risk assessment, identified appropriate security controls to protect against that risk, and implemented those controls; FEMA has conducted a risk assessment and no critical vulnerabilities have been identified. A System Certification and Accreditation is in the final stages of being of completed. 4.1.3 Describe the monitoring/testing/evaluating on a regular basis to ensure that controls continue to work properly, safeguarding the information. The controls protecting this data are an integral part of the NEMIS and are discussed in more detail in Part B of this submission. NEMIS, as a major mission-critical FEMA application, is subject to continuous monitoring, testing, and evaluation in the course of certification and accreditation, system releases, system acceptance testing, and audits by the DHS Office of the Inspector General and various FEMA program offices that are dependent upon NEMIS for mission support services. The baseline system has been operational since 1997. 4.1.4 Provide a point of contact for any additional questions from users. William Prusch Branch Chief, System Engineering and Development Federal Emergency Management Agency 500 C Street S.W. Washington D.C. 20472 (202) 646-2888 4.1.5 If the system is operated in more than one site, how will consistent use of the system and data be maintained in all sites? The data from the IA Module is stored in the consolidated master database at FEMA's Mt. Weather facility in Bluemont, VA and in the IA databases at the National Processing Service Centers (NPSCs) located in Denton, Texas, Hyattsville, Maryland, and Mt. Weather. FEMA Headquarters manages data use at all locations. Data consistency is maintained by regular replication of data among the NPSCs and the consolidated master database via automated procedures. FEMA has a configuration management process that is used to deploy the application in a consistent manner throughout the enterprise. 4.1.6 What are the retention periods of data in the system? The data in the system are considered federal government records. The records retention period for this data is 6 years and 3 months from the close of the case. Pursuant to the Government Paperwork Elimination Act (http://www.whitehouse.gov/omb/fedreg/gpea2.html ) and OMB Circular A-130, electronic records are given the same validity as paper-based records. Therefore, the retention periods for data are consistent with retention schedules established by the National Archives and Records Administration (NARA). 4.1.7 What are the procedures for expunging the data at the end of the retention period and are these procedures documented? The data will be destroyed/deleted in accordance with the NARA-approved records retention and disposition schedule established for FEMA records in FEMA Manual 5400.2, Records Management-Files Maintenance and Records Disposition. Electronic records are destroyed/deleted in accordance to the same NARA records retention schedule as the hard copy records. 4.1.8 Will the system provide the capability to monitor individuals or groups of individuals? If yes, explain. Yes, FEMA employs software programs that monitor host and network traffic to identify unauthorized attempts to upload or change information or otherwise cause damage by individuals or group of individuals. Unauthorized attempts to upload information or change information are prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act. The system has an audit trail of the changes made to the application and the user information associated with that change. Hence, the ability to monitor unauthorized access is provided. 4.1.9 What controls are in place to prevent unauthorized monitoring of individuals or groups of individuals? The FEMA Recovery Division, Individual Assistance Branch strictly controls access to the applicant data using the NEMIS-provided, organizationally structured, role-based access controls for official use only. The controls limiting an individual applicant's access have already been described in detail above. 4.1.10 Under which Systems of Record Notice (SORN) does the system operate? Provide Number and Name. The system currently operates under the already existing Privacy Act system of records, the "Disaster Recovery Assistance Files" (66 FR 195, October 9, 2001). SECTION 5: DECISION ANALYSIS 5.1 Did you evaluate competing technologies on their privacy handling capabilities? If yes, explain. No, FEMA has not evaluated competing technologies on their privacy handling capabilities. 5.2 Were any choice changes made to system architectures, hardware, software, or implementation plans as a result of doing a PIA? If yes, explain. No, there were no changes made to system architectures, hardware, software, or implementation plans because of a privacy impact assessment. Security and privacy requirements have always driven the NEMIS architecture, applications, and operations. Part B: National Emergency Management Information System (NEMIS) Individual Assistance (IA) Module Internet Applications Privacy Impact Assessment R. Kim/FEMA/OGC/PIA-Pt.A-FINAL-10-6-04-DHS REVIEW-Disaster Assistance- RYK.doc/10-6-04