Privacy
Impact Assessment
Domestic
Hemp Production Program (DHPP)
Version:
1.4
Date:
November 15, 2019
Prepared
for: USDA OCIO-Policy, E-Government and Fair Information Practices
(PE&F)
Privacy Impact Assessment for the
U.S. Domestic Hemp Production Program (DHPP)
November 15, 2019
Contact Point
William F. Richmond
Agricultural Marketing Service
(202)720-9921
Reviewing Official
Teresa Gilbert
Branch Chief, MRPBS
United States Department of Agriculture
(301) 851-2524
The new system is the AMS HEMP Program. The Agriculture Improvement Act of 2018 (2018 Farm Bill) directs the U.S. Department of Agriculture (USDA) to establish a domestic hemp production program. As part of this program, the 2018 Farm Bill requires USDA to collect data from States and Tribal Nations regarding hemp growers under their jurisdiction as well as licensing information on growers operating under the USDA hemp production plan. Additionally, the 2018 Farm Bill requires USDA to share the collected information with Federal, State, territorial, and local law enforcement. The Agricultural Marketing Service (AMS) is the USDA agency tasked with implementing the domestic hemp production program.
The system name is the AMS HEMP Program and AMS owns the system.
The 2018 Farm Bill mandates that that USDA establish the Domestic Hemp Production Program. As part of this program, the 2018 Farm Bill requires USDA to collect data from States and Tribal Nations regarding hemp growers under their jurisdiction as well as licensing information on growers operating under the USDA hemp production plan. Additionally, the 2018 Farm Bill requires USDA to share the collected information with Federal, State, territorial, and local law enforcement. The AMS HEMP Program system will leverage the Department of Justice, Drug Enforcement Administration (DEA)’s El Paso Intelligence Center (EPIC) to fulfill this requirement.
This system will provide a secure public facing interface where applicants (both individuals and businesses) can submit their licensing information, including attaching PDFs, JPEGs, DOC, etc. This system will also provide a secure interface where States and Tribal Nations may submit their state or tribal plans for USDA approval, their licensee or authorized producer information (as indicated above), land identification information, monthly reports on the disposal of non-conforming plants and materials, and annual reports.
This system will interface with Farm Service Agency (FSA) to receive information from licensees which will include: field acreage, greenhouse or indoor square footage of hemp planted; street address; geospatial location or other comparable identification method which specifies where the hemp will be produced; and legal description of the land. Additionally, this system will provide real time external reporting of relevant data to FSA and DEA.
While this system is being built, USDA will manually collect information from States, Tribes, and Laboratories, and manually share information with the DEA.
All security controls will adhere to NIST 800-53, which includes recommended security controls for Federal information Systems and organizations.
Section 1.0 Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, rule, or technology being developed.
The information collected and disseminated includes: name and address of grower; street address, legal description of the land, field acreage, greenhouse or indoor square footage of hemp planted; GIS coordinates of land on which hemp is grown; laboratory results from testing crop prior to harvest; report on disposal of noncompliant plants; criminal history reports; and licensing or authorization identifier and status of grower.
AMS will share information with DEA.
The 2018 Farm Bill requires USDA to collect data from States and Tribal Nations regarding hemp growers under their jurisdiction as well as licensing information on growers operating under the USDA hemp production plan. Additionally, the 2018 Farm Bill requires USDA to share the collected information with Federal, State, territorial, and local law enforcement.
The system has a series of data validation rules. Users are responsible for checking data prior to submission, which is then reviewed by USDA. The 2018 Farm Bill requires USDA to conduct inspections and audits of individual growers licensed under the USDA hemp production plan, as well as States and Tribes administering their own hemp production plans. These inspections and audits are conducted by subject matter experts.
Access to AMS HEMP Program is strictly controlled, with access granted through the USDA secure single sign-on application e-Authentication with level 2 validation and authorization within AMS/USDA. The AMS HEMP Program is role based and users access the system using unique authorized accounts and are assigned level-of-access roles based on their needs. The level of access for the user restricts the data that can be seen and the degree to which data may be modified by the user. Any information transmitted to DEA will be encrypted.
The following questions are intended to delineate clearly the use of information and the accuracy of the data being used.
AMS will collect the data as required by the 2018 Farm Bill to ensure compliance of the Farm Bill including sharing with the DEA who will share information with other Federal, State and local law enforcement agencies. The data is used to make licensing and compliance determinations regarding hemp growers across the United States. This could include suspension or revocation of a hemp production license, or reporting to the U.S. Attorney General.
No commercial or publicly available data will be used.
The following questions are intended to outline how long information will be retained after the initial collection.
The following questions are intended to define the scope of sharing within the United States Department of Agriculture.
The following questions are intended to define the content, scope, and authority for information sharing external to USDA which includes Federal, State and local government, and the private sector.
As required under the 2018 Farm Bill to share information with Federal, State, territorial, and local law enforcement, USDA will share information with the DEA on who is licensed to grow hemp, where the hemp is grown, and whether the producer of said hemp is in “good standing” with a USDA, State or Tribe. DEA will in turn share the information with law enforcement through EPIC.
The SORN is being published in connection with the regulations implementing the Domestic Hemp Production Program.
Information will be shared between AMS and DEA through an Application Program Interface.
Risks of exposing the limited PII that will be shared are mitigated by effective security measures. User access controls are in place which allows disclosure to only authorized DEA employees. All security controls will comply with NIST 800-53.
The following questions are directed at notice to the individual of the scope of information collected, the right to consent to uses of said information, and the right to decline to provide information.
The SORN is being published in connection with the regulations implementing the Domestic Hemp Production Program.
Notice is provided when users submit a license application form or enter information into the system electronically.
The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.
The system will allow certain users role-based access to their data thru E-authorization.
The system will allow users role-based access to their data thru E-authorization.
The following questions are intended to describe technical safeguards and security measures.
End users have access only to their own information and have write privileges to a very limited subset of this information.
System administrators, database administrators, and designated application representatives have customized access based on the requirements needed for completing their specific job functions.
Regarding access role management, the Agency application business owners designate internal access role administrators, and they are responsible for maintaining the access role membership.
When identity management views are assigned to a user, the view is limited to the least amount of data needed for completing the user’s specific job functions. If Personally Identifiable Information is included in the view, the administrator receiving the view must adhere to security precautions as outlined in AMS and Department regulations.
Access is based on need. If there is a need to access the system, they would go through the same procedures as other users.
In progress.
The system uses e-authentication and e-authorization for role-based access to provide least privilege and prevent unauthorized access. There is electronic validation of many of the data elements, and manual audits are conducted on a regular basis.
The security controls are implemented based on the NIST SP 800-53 security control requirements and have been approved to mitigate risk to an adequate level.
The AMS Hemp Program Risk Assessment indicates that the system contains privacy information in accordance with the Privacy Act. Therefore, controls defined in NIST 800-53 have been implemented to mitigate risks. The following controls are applicable:
AR-02 – Privacy Impact and Risk Assessment
AR-05 – Privacy Awareness and Training
TR-02 – Systems of Records Notices and Privacy Act Statements
Additionally, access controls are established to ensure proper authentication and non-repudiation. Each user is required to read and acknowledge the Rules of Behavior prior to receiving account credentials.
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware and other technology.
No.
The following questions are directed at critically analyzing the privacy impact of using third party websites and/or applications.
Yes.
N/A.
N/A.
N/A.
N/A.
N/A.
No.
N/A.
N/A.
________________________________
System Owner
AMS HEMP Program
Agricultural Marketing Service
United States Department of Agriculture
________________________________
MRP CISO or MRP ISSPM
Marketing and Regulatory Programs
United States Department of Agriculture
________________________________
Mark R. Brook
Privacy Act Officer
Agricultural Marketing Service
United States Department of Agriculture
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Bennett, Patty - AMS |
File Modified | 0000-00-00 |
File Created | 2021-01-15 |