United States Department of Agriculture
National Agricultural Statistics Service
NASS Census Processing System
Privacy Impact Assessment
(PIA)
August 8, 2007
Prepared by:
National Agricultural Statistics Service
1400 Independence Ave., S.W.
Washington, DC 20250
USDA PRIVACY IMPACT ASSESSMENT FORM
Agency: National Agricultural Statistics Service
System Name: NASS Census Processing System
System Type: Major Application
General Support System
Non-major Application
System Categorization (per FIPS 199): High
Moderate
Low
Description of the System:
The NASS Census Processing System is primarily used to the Census of Agriculture which is congressionally mandated to be conducted every 5 years in years ending in 2 or 7. The system can also be used for processing follow-on surveys and censuses. This major application runs on machines housed at the USDA/NITC facility in Kansas City, MO, and Headquarters in Washington, D.C.
Who owns this system? (Name, agency, contact information)
Brian Lounsbury
National Agricultural Statistics Service
1400 Independence Ave., S.W.
Washington, DC 20250
Tel.No. (202)720-7906
Who is the security contact for this system? (Name, agency, contact information)
Renato Chan
National Agricultural Statistics Service
1400 Independence Ave., S.W.
Washington, DC 20250
Tel.No. (202)720-4068
Who completed this document? (Name, agency, contact information)
Renato Chan
National Agricultural Statistics Service
1400 Independence Ave., S.W.
Washington, DC 20250
Tel.No. (202)720-4068
Indicate whether the following types of personal data are present in the system
QUESTION 1 Does the system contain any of the following type of data as it relates to individual: |
Citizens |
Employees |
Name |
Yes |
No |
Social Security Number |
No |
No |
Telephone Number |
Yes |
No |
Email address |
No |
No |
Street address |
Yes |
No |
Financial data (i.e. account numbers, tax ids, etc) |
No |
No |
Health data |
No |
No |
Biometric data |
No |
No |
QUESTION 2
Can individuals be uniquely identified using personal information such as a combination of gender, race, birth date, geographic indicator, biometric data, etc.?
NOTE: 87% of the US population can be uniquely identified with a combination of gender, birth date and five digit zip code1 |
No |
No |
Are social security numbers embedded in any field? |
No |
No |
Is any portion of a social security numbers used? |
No |
No |
Are social security numbers extracted from any other source (i.e. system, paper, etc.)? |
No |
No |
If all of the answers in Questions 1 and 2 are NO,
You do not need to complete a Privacy Impact Assessment for this system and the answer to OMB A-11, Planning, Budgeting, Acquisition and Management of Capital Assets,
Part 7, Section E, Question 8c is:
3. No, because the system does not contain, process, or transmit personal identifying information.
If any answer in Questions 1 and 2 is YES, provide complete answers to all questions below.
Generally describe the data to be used in the system. The data collected reflect the general and specific information about a respondent’s agricultural operation. Information on the amount and value of land in the farm, the commodities grown or raised on that land, the production and value of products sold from that land, as well as other economic and demographic information directly related to that agricultural operation. The system processes census data from mail out and data capture, data collection and tracking, data editing, data analysis, data summarization and tabulation, and publication of aggregated totals by county, state, regional and the United States.
Is the collection of the data both relevant and necessary to the purpose for which the system is designed? In other words, the data is absolutely needed and has significant and bearing on the system’s purpose.
Yes
No. If NO, go to question 5
Explain.
The system is designed to process census data. The data collected is included in published in various aggregated totals at various geographical levels.
Sources of the data in the system.
What data is being collected from citizens and/or employees?
Data about respective agricultural operations including economic and demographic information.
What USDA agencies are providing data for use in the system?
What government agencies (state, county, city, local, etc.) are providing data for use in the system?
The Bureau of the Census at the National Processing Center (NPC) in Jeffersonville, Indiana is used to mail out and electronically capture data from returned report forms. NPC transfers these files to NASS electronically.
From what other third party sources is data being collected?
None
Will data be collected from sources outside your agency? For example, citizens and employees, USDA sources (i.e. NFC, RD, etc.) or Non-USDA sources.
Yes
No. If NO, go to question 7
How will the data collected from citizens and employees be verified for accuracy, relevance, timeliness, and completeness?
The Census Processing System has many tools for validating and analyzing the data to ensure it is accurate, relevant, timely and complete. If data questions still remain, the respondent may be contacted by NASS to clarify questions and ensure the data meets all the above criteria.
How will the data collected from USDA sources be verified for accuracy, relevance, timeliness, and completeness? N/A
How will the data collected from non-USDA sources be verified for accuracy, relevance, timeliness, and completeness? The Census Processing System has many tools for validating and analyzing the data to ensure it is accurate, relevant, timely and complete.
Individuals must be informed in writing of the principal purpose of the information being collected from them. What is the principal purpose of the data being collected?
To provide a uniform accounting of the entire agriculture sector every 5 years for county, State, regional and national geographic levels. The data is used by farm operators, governments, manufacturers, media, researchers, academia, and businesses. It provides an historical picture of agriculture at various points in time.
Will the data be used for any other purpose?
Yes
No. If NO, go to question 9
What are the other purposes?
Is the use of the data both relevant and necessary to the purpose for which the system is being used? In other words, the data is absolutely needed and has significant and demonstrable bearing on the system’s purpose.
Yes
No. If NO, go to question 10
Explain. The data is processed (as stated above) and aggregates which have passed rigorous efforts to protect and ensure a respondent’s confidentiality from being disclosed are published. Without the data there is no need for a system and there would be no deliverable product.
Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected (i.e. aggregating farm loans by zip codes in which only one farm exists.)?
Yes
No. If NO, go to question 11
Will the new data be placed in the individual’s record (citizen or employee)?
Yes
No
Can the system make determinations about citizens or employees that would not be possible without the new data?
Yes
No
How will the new data be verified for relevance and accuracy? By using validation, range, and consistency edits, and relational and historical comparison edits. By using various analysis tools to ensure data is relevant and accurate.
Individuals must be informed in writing of the routine uses of the information being collected from them. What are the intended routine uses of the data being collected?
The collected data will be used as inputs to the summary, tabulation, and disclosure programs and published in aggregated totals by geographic locations. Once aggregated and published, the data is used by farm operators, governments, manufacturers, media, researchers, academics, and businesses. It provides an historical picture of agriculture at various points in time.
Will the data be used for any other purpose (other than indicated in question 11)?
Yes
No. If NO, go to question 13
What are the other purposes?
Automation of systems can lead to the consolidation of data – bringing data from multiple sources into one central location/system – and consolidation of administrative controls. When administrative controls are consolidated, they should be evaluated so that all necessary privacy controls remain in place to the degree necessary to continue to control access to and use of the data. Is data being consolidated?
Yes
No. If NO, go to question 14
What controls are in place to protect the data and prevent unauthorized access? Strict security and access controls are in place to ensure only sworn and authorized employees or agents of NASS have access to the data.
Are processes being consolidated?
Yes
No. If NO, go to question 15
What controls are in place to protect the data and prevent unauthorized access? Strict security and access controls are in place to ensure only sworn and authorized employees or agents of NASS have access to the consolidated data.
Is the data periodically purged from the system?
Yes
No. If NO, go to question 16
How long is the data retained whether it is on paper, electronically, in the system or in a backup? Retention and disposal practices are in accordance with approved National Archives and Records Administration (NARA) schedules.
What are the procedures for purging the data at the end of the retention period? Retention and disposal practices are in accordance with approved National Archives and Records Administration (NARA) schedules.
Where are these procedures documented? Retention and disposal practices are in accordance with approved National Archives and Records Administration (NARA) schedules.
While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations? Once the data has been processed, and aggregated to published totals, that data is frozen and no changes are made to its content.
Is the data retained in the system the minimum necessary for the proper performance of a documented agency function?
Yes
No
Will other agencies share data or have access to data in this system (i.e. international, federal, state, local, other, etc.)?
Yes
No. If NO, go to question 19
How will the data be used by the other agency?
Who is responsible for assuring the other agency properly uses of the data?
Is the data transmitted to another agency or an independent site?
Yes
No. If NO, go to question 20
Is there the appropriate agreement in place to document the interconnection and that the PII and/or Privacy Act data is appropriately protected? The NASS Memorandum of Understanding with NPC and NITC contains provisions for (1) Network Data Confidentiality, Integrity and Availability, and (2) Physical Security.
Where are those documents located?
NASS maintains a copy of the Memorandum of Understanding in its Headquarters offices in Washington, D.C.
Is the system operated in more than one site?
Yes
No. If NO, go to question 21
How will consistent use of the system and data be maintained in all sites?
All NASS employees are required to sign a pledge of confidentiality that carries severe legal penalties for violating the pledge. NASS employs physical security controls, logical access controls, technological controls, auditing and monitoring of controls. NASS uses a secure, common configuration that all Field Offices and Headquarters are required to use. Magnetic backup tapes stored at NITC and NPC are secured within areas to which access is limited to authorized personnel only
Who will have access to the data in the system (i.e. users, managers, system administrators, developers, etc.)? Sworn NASS employees will have access to the processing systems. The majority of NASS employees with access will be users of the system. A very limited number of NASS technical support staff including infrastructure, database administrators could have system administration access to the data. All NASS employees are required to sign a pledge of confidentiality that carries severe legal penalties for violating the pledge. NASS employs physical security controls, logical access controls, technological controls, auditing and monitoring of controls.
How will user access to the data be determined? Users are limited to accessing the data through the census processing system and all of the tools associated with it. Authorized users can also use COTS read only query tools to help with the analysis of the data.
Are criteria, procedures, controls, and responsibilities regarding user access documented?
Yes
No. If NO, go to question 23
Where are criteria, procedures, controls, and responsibilities regarding user access documented? Electronic records of authorized requests for user accounts are maintained. Data access is strictly limited to NASS employees that have been officially authorized to have access. All NASS employees are required to sign a pledge of confidentiality that carries severe legal penalties for violating the pledge. NASS employs physical security controls, logical access controls, technological controls, auditing and monitoring of controls.
How will user access to the data be restricted? Users are validated at several levels, including the network, database, internal application access controls and role level security before being allowed to access the data. NASS employs physical security controls, logical access controls, technological controls, auditing and monitoring of controls to accommodate this.
Are procedures in place to detect or deter browsing??
Yes
No
Are procedures in place to detect or deter unauthorized user access?
Yes
No
Does the system employ security controls to make information unusable to unauthorized individuals (i.e. encryption, strong authentication procedures, etc.)?
Yes
No
Who will be responsible for protecting the privacy rights of the citizens and employees affected by the interface (i.e. office, person, departmental position, etc.)?
It is the responsibility of all NASS employees and sworn agents to protect the privacy rights of citizens and employees affected by the interface. All NASS employees are required to sign a pledge of confidentiality that carries severe legal penalties for violating the pledge.
How can citizens and employees contact the office or person responsible for protecting their privacy rights? NASS officials can be contacted in Headquarters and each Field Office.
A “breach” refers to a situation where data and/or information assets are unduly exposed. Is a breach notification policy in place for this system?
Yes - If YES, where is the breach notification policy located?
The policy is located in Security office at Headquarters in Washington, D.C.
No - If NO, please enter the POAM number with the estimated completion date:
Consider the following:
Consolidation and linkage of files and systems
Derivation of data
Accelerated information processing and decision making
Use of new technologies
Is there a potential to deprive a citizens and employees of fundamental rules of fairness (those protections found in the Bill of Rights)?
Yes
No. If NO, go to question 29
Explain how this will be mitigated?
How will the system and its use ensure equitable treatment of citizens and employees?
Is there any possibility of treating citizens and employees differently and unfairly based upon their individual or group characteristics?
Yes
No. If NO, go to question 31
Explain
Can the data be retrieved by a personal identifier? In other words, does the system actually retrieve data by the name of an individual or by some other unique number, symbol, or identifying attribute of the individual?
Yes
No. If NO, go to question 32
How will the data be retrieved? In other words, what is the identifying attribute (i.e. employee number, social security number, etc.)?
Data is retrieved by unique identification numbers internal to the agency.
Under which Systems of Record notice (SOR) does the system operate? Provide number, name and publication date. (SORs can be viewed at www.access.GPO.gov)
USDA/NASS-03 Census of Agriculture Records
If the system is being modified, will the SOR require amendment or revision?
If the scope of the personal data maintained is modified, the System of Record will be modified, accordingly.
Is the system using technologies in ways not previously employed by the agency (e.g. Caller-ID)?
Yes
No. If NO, the questionnaire is complete.
How does the use of this technology affect citizens and employees privacy?
Upon completion of this Privacy Impact Assessment for this system, the answer to
OMB A-11, Planning, Budgeting, Acquisition and Management of Capital Assets,
Part 7, Section E, Question 8c is:
1. Yes.
PLEASE SUBMIT A COPY TO
THE OFFICE OF THE ASSOCIATE CHIEF INFORMATION OFFICE/CYBER SECURITY
1 Comments of Latanya Sweeney, Ph.D., Director, Laboratory for International Data Privacy Assistant Professor of Computer Science and of Public Policy Carnegie Mellon University To the Department of Health and Human Services On "Standards of Privacy of Individually Identifiable Health Information". 26 April 2002.
FOR OFFICIAL USE ONLY
Page
File Type | application/msword |
File Title | Privacy Impact Assessment |
Author | Richard Ciampa |
Last Modified By | HancDa |
File Modified | 2008-04-24 |
File Created | 2008-04-24 |