Initial Privacy Assessment (IPA)

DRGR IPA_ 3-7-14.docx

Closeout Instructions for Community Development Block Grant Programs (CDBG)

Initial Privacy Assessment (IPA)

OMB: 2506-0193

⚠️ Notice: This form may be outdated. More recent filings and information on OMB 2506-0193 can be found here:

2022-05-19 - No material or nonsubstantive change to a currently approved collection
2021-11-16 - Reinstatement without change of a previously approved collection

Document [docx]

Download: docx | pdf

U.S. DEPARTMENT OF

HOUSING AND URBAN DEVELOPMENT

INITIAL PRIVACY ASSESSMENT (IPA)

Closeout Instructions for Community Development Block Grant (CDBG) Programs Grants

[Community Planning and Development]

INTRODUCTION

What is an Initial Privacy Assessment?

An Initial Privacy Assessment (IPA) is designed to assess whether a Privacy Impact Assessment (PIA), a Privacy Act system of records notice (SORN), and/or other related privacy documents are required. The responses to the IPA will provide a foundation for both a PIA and a SORN should either or both be required, and will also help to identify any policy concerns.

The IPA incorporates the matters previously addressed in the Department’s Privacy Identifiable Information (PII) Survey, and thus replaces the survey.

When should an IPA be completed?

An IPA should be completed during the system’s design phase, whether the system is electronic or contains only records in paper form, and should be completed before commencement of any testing or pilot project of an information system. Additionally, an IPA should be completed any time there is a change to the information system to determine whether there are any privacy issues as a result of such a change.

Who should complete the IPA?

The IPA should be written and reviewed by a combination of the component’s (e.g., Privacy Act Officer, System Owner, Project Leaders), and the program-specific office responsible for the system.

How is the IPA related to the Capital Planning and Certification and Accreditation process?

Upon completion and approval of the IPA by the Privacy Officer the official document may be uploaded into the C&A tool, and provided as part of the IT Capital Planning process as validation of the completed evaluation. The completed IPA demonstrates that the program components have consciously considered privacy and related requirements as part of the overall system design. For an IT system that does not require a C&A, such as a minor application that runs on a system that does require a C&A, an IPA still should be completed to determine if other related privacy documentation are required for that system or project.

Where should the completed IPA be sent?

A copy of the completed IPA should be sent to the Office of Privacy via email to Donna.Robinson.Staton@HUD.gov and Nadine.Craft@HUD.gov. The Privacy Officer will review the IPA and determine what additional privacy documentation is required, and then will advise the Program component accordingly.

Initial Privacy Assessment

INFORMATION ABOUT THE PROJECT/SYSTEM

Date submitted for review: March 12, 2014
Project Name/Acronym: Closeout Instructions for Community Development Block Grant (CDBG) Programs Grants
System Owner/Contact Information: Jessie Handforth Kome, 202-402-5539
Project Leader/Contact Information: James Stansell, 202-402-2158 CPD ISS0/Contact Information: Sam Walker, 202-402-3883 Which of the following describes the type of records in the system:
	Paper-Only
	Combination of Paper and Electronic
	Electronic-Only
	Other: Please describe the type of project including paper based Privacy Act System of Records

* Note: For this form purpose, there is no distinction made between technologies/ systems managed by contractors. All technologies/systems should be initially reviewed for potential privacy impact.

Provide a general description of the system or project that describes: (a) the functionality of the system and the purpose that the records and/or system serve; (b) who has access to information in the system; (c) how information in the system is retrieved by the user; (d) how information is transmitted to and from the system; and (e) interconnections with other systems.

The Closeout Instructions for Community Development Block Grant (CDBG) Programs Grants will be using the Disaster Recovery and Reporting System (DRGR), to provide information to the HUD field offices. DRGR is a web-based system used to electronically administer several HUD grant programs including Community Development Block Grant – Disaster Recovery (CDBG-DR_, OneCPD Technical Assistance (OneCPD-TA), Neighborhood Stabilization Program Technical Assistance (NSP-TA), Rural Innovation Fund (RIF) and the Neighborhood Stabilization Programs (NSP1, NSP2 and NSP3). Grantees use DRGR to specify disaster impact, identify needs, develop action plans, propose activities, draw grant funds (via LOCCS interface), and report on accomplishments. HUD uses DRGR to track immediate and long-term grantee progress, approve draws, monitor funds, and ensure compliance with requirements specific to each grant. Information is transmitted to the DRGR system using the internet via a browser on the user’s PC or laptop. The DRGR system interfaces with the Line of Credit Control System (LOCCS).

Have the IPA been reviewed and approved by the Departmental Privacy Officer

	YES
	NO (Please contact component privacy official before submitting official IPA.)

Status of System or Project

This is a new system or project in development

Specify expected production date: Do not complete Section II.

This is an existing system or project.

After completing Section I, complete Section II.

System or project personal identifiers/sensitive information

YES	NO	Does the system or project collect, maintain use or disseminate other personal identifiers/ sensitive information (i.e., name, home address, home telephone number, date of birth, gender status, income/financial data. employment, medical history, criminal record, etc.)?

If yes, briefly describe the types of information about individuals in the system.

Some grant program policies for programs such as NSP require that state/local and other organizations receiving grants enter addresses for single-family properties that receive funds for construction and repair, and homeownership assistance, but these records do not include the name or other personal identifying information of any persons residing at these properties.

To create new user accounts for grantees or HUD staff, we ask for their name and office address, phone # and email address.

Does the information about individuals identify particular individuals (i.e., is the information linked or linkable to specific individuals, often referred to as personally identifiable information?)

	YES
	NO (If no, indicate below how the information is not identifiable to specific individuals.

Does the personally identifiable information in the system pertain only to government employees, contractors, or consultants?

	YES (If yes, specify individual type.) ___________________________________
	NO (If no, indicate below how the information is not identifiable to specific individuals.

Is there an existing Privacy Act System of Records Notice (SORN) that has been published in the Federal Register to cover the system? (Please consult with the component’s Privacy Act Officer if assistance is needed in responding to this question.)

	YES
	NO

SSN usage

YES	NO	Do the project or system collect, maintain, use, or disseminate Social Security Numbers (SSNs)? (This includes truncated SSNs)

If yes, please provide the purpose/legal authority authorizing the solicitation of SSNs:

Is there a Certification & Accreditation record for your system?

YES (If yes, indicate the following :)

Confidentiality

Low

Moderate

High

Undefined

Integrity

Low

Moderate

High

Undefined

Availability

Low

Moderate

High

Undefined

NO (If no, please identify the FISMA-reported system whose C&A covers this system.)

DO NOT KNOW

II. EXISTING SYSTEM OR PROJECT

When was the system developed? The DRGR system was developed in 1992 for HUD grantees following Hurricane Andrew to submit plans on projected use of funds and to provide subsequent progress/performance reports.

If an existing system, has the system undergone any changes since April 17, 2003?

YES (If yes, explain the nature of those changes and proceed to Question 3.)

Significant changes to the DRGR system have been implemented. Below is a table summarizing all releases with major functionality changes since 2003:

	Release #	Release Date	Business Benefits
LOCCS Integration	Release 6.3	9-Jan	Integration of DRGR with LOCCS for purposes of drawing down grants. Users track grant and program income disbursements to other organization at the activity level through a drawdown module instead of self-reporting and making draws at the grant/program level. This removes the need for reconciliation between systems.
Microstrategy /	Release 6.4	9-Jul	Allows HUD users and grantee users to extract DRGR data in Microstrategy to compare to grantee data systems and to also examine patterns in data needed for program compliance reviews and data correction.
Single Sign on
Grantee Oversight Activities: Monitoring, Audit, Technical Assistance	Release 6.5	10-Apr	Permits remote review of grantee oversight activities used to prevent fraud, waste, and abuse. Grantees enter data on compliance reviews made of other organizations funded under CPD grant programs in DRGR and organizations that receive technical assistance from the grantees. HUD staff can review the data remotely to assess risk and identify need for HUD monitoring and technical assistance.
Beneficiary Data: Census Data Lookup Tables and Race/Ethnicity Data Entry	Release 7.0	10-Sep	DRGR added census data lookup and calculation screens in Action Plan, DRGR also added Race/Ethnicity data entry screens for FHEO in QPR. Both types of screens permit remote review of data for purposes of risk assessment and HUD compliance monitoring. Release also included new user certification screens based on OIG findings in 2009-DP-0007. Re-certifications required each six months.
User Certification Screens
Improved Financial Management of Program Income		11-Dec	Grantees are required to spend program income (funds generated from grant programs) before drawing down additional grant funds. This release improved management of program income by providing receipt screens instead of quarterly reports of program income disbursed and used available balance calculations to enforce requirements to disburse program income funds before grant funds based on applicable program regulations and notices. The release included enhanced audit trail/data change history files based on OIG findings in 2011-DP-0008
	Release 7.3
Customization of Screens for	Release 7.4 – Release 7.6	Apr-12 to Nov-12	Customization of TA request and workplan screens to improve oversight of TA programs. The release will allow for processing of TA requests, TA workplans, invoices, and payments within DRGR rather than depending on external distribution of documents for management of TA engagements. The release will include remaining audit trail/data change history items from OIG findings in 2011-DP-0008
Technical Assistance (TA)Programs

NO (If no, proceed to question 5.)

Do the changes to the system or project involve a change in the type of records maintained, the individuals on whom records are maintained, or the use or dissemination of information from the system?

	YES
	NO

Please indicate if any of the following changes to the system or project have occurred: (Mark all boxes that apply.)

	A conversion from paper-based records to an electronic system.
	A change from information in a format that is anonymous or non-identifiable to a format that is identifiable to particular individuals.
	A new use of an IT system, including application of a new technology that changes how information in identifiable form is managed. (For example, a change that would create a more open environment and /or avenue for exposure of data that previously did not exist.)
	A change that results in information in identifiable form being merged, centralized, or matched with other databases.
	A new method of authenticating the use of an access to information in the identifiable form by members of the public.
	A systematic incorporation of databases of information in identifiable form purchased or obtained from commercial or public sources.
	A new interagency use of shared agency function that results in new uses or exchanges of information in identifiable form.
	A change that results in a new use of disclosure of information in identifiable form.
	A change that results in new items of information in identifiable form being added into the system.

Does a PIA for the system already exist?

	YES (If yes, provide the date and title of the PIA and whether the PIA is posted on the Privacy Office webpage). The existing DRGR PIA was done in May 2005 and yes it is posted on the Privacy Office webpage.
	NO.

IPA Determination/Approval

(To be completed by the Privacy Office)

DATE REVIEWED:

REVIEWERS NAME:

This is NOT a Privacy Sensitive Project – the project contains no personal identifiers/sensitive information

This IS a Privacy Sensitive Project

PTA sufficient at this time

A PIA is required

COMMENTS:

______________________________________________ _______________________________

Program Director Signature Date

[Title]

_______________________________________________ ________________________________

Departmental Privacy Officer Signature Date

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	h04105
File Modified	0000-00-00
File Created	2021-01-27