Supporting Statement A (2)

Supporting Statement A (2).docx

Data Security Requirements for Accessing Confidential Data

OMB: 0536-0079

Document [docx]
Download: docx | pdf


SUPPORTING STATEMENT – PART A

Economic Research Service; US Department of Agriculture

Data Security Requirements for Accessing Confidential Data

OMB Control No. 0536-XXXX



A. Justification


The Foundations for Evidence-Based Policymaking Act of 2018 (44 U.S.C. 3583) mandates that the Director of the Office of Management and Budget (OMB) establish a standard application process (SAP) for requesting access to certain confidential data assets. While the adoption of the SAP is required for statistical agencies and units designated under the Confidential Information Protection and Statistical Efficiency Act of 2018 (CIPSEA), it is recognized that other agencies and organizational units within the Executive Branch may benefit from the adoption of the SAP to accept applications for access to confidential data assets. The SAP is to be a process through which agencies, the Congressional Budget Office, State, local, and Tribal governments, researchers, and other individuals, as appropriate, may apply to access confidential data assets held by a federal statistical agency or unit for the purposes of developing evidence. With the Interagency Council on Statistical Policy (ICSP) as advisors, the entities upon whom this requirement is levied are working with the SAP Project Management Office (PMO) and with OMB to implement the SAP. The SAP Portal is to be a single web-based common application designed to collect information from individuals requesting access to confidential data assets from federal statistical agencies and units. In late 2022, the National Center for Science and Engineering Statistics (NCSES), in its role as the SAP PMO, published a 60-day Federal Register Notice (87 FR 53793) and 30-day Federal Register Notice (87 FR 66754) announcing plans to collect information through the SAP Portal. This collection request was submitted to the Office of Management and Budget as a Common Form in late 2022; the OMB control number for SAP Portal information collection is 3145-0271 and the expiration date is 12/31/2025.


When an application for confidential data is approved through the SAP Portal, Economic Research Service (ERS) will collect information to fulfill its data security requirements. This is a required step before providing the individual with access to confidential microdata for the purpose of evidence building. ERS’s data security agreements and other paperwork, along with the corresponding security protocols, allow ERS to maintain careful controls on confidentiality and privacy, as required by law. This collection will occur outside of the SAP Portal. On 12/23/2022, ERS published a 60-day Federal Register Notice 87 FR 78913 announcing plans for this collection.


This submission requests approval to collect information from individuals to fulfill ERS’s data security requirements. This request is from Economic Research Service (ERS) within US Department of Agriculture.


  1. Necessity of the Information Collection


Title III of the Foundations for Evidence-Based Policymaking Act of 2018 (hereafter referred to as the Evidence Act) mandates that OMB establish a Standard Application Process (SAP) for requesting access to certain confidential data assets. Specifically, the Evidence Act requires OMB to establish a common application process through which agencies, the Congressional Budget Office, State, local, and Tribal governments, researchers, and other individuals, as appropriate, may apply for access to confidential data assets collected, accessed, or acquired by a statistical agency or unit. This new process will be implemented while maintaining stringent controls to protect confidentiality and privacy, as required by law.


Data collected, accessed, or acquired by statistical agencies and units is vital for developing evidence on the characteristics and behaviors of the public and on the operations and outcomes of public programs and policies. This evidence can benefit the stakeholders in the programs, the broader public, and policymakers and program managers at the local, State, Tribal, and National levels. The many benefits of access to data for evidence building notwithstanding, ERS is required by law to uphold rigorous controls that allow it to minimize disclosure risk and protect confidentiality. The fulfillment of ERS’s data security requirements places a degree of burden on individuals, which is outlined below.


The SAP Portal is a web-based application to allow individuals to request access to confidential data assets from federal statistical agencies and units. The objective of the SAP Portal is to broaden access to confidential data for the purposes of evidence building and reduce the burden of applying for confidential data. Once an individual’s application in the SAP Portal has received a positive determination, ERS will begin the process of collecting information to fulfill its data security requirements.


This Paperwork Reduction Act (PRA) supporting statement outlines the SAP Policy, the steps to complete an application through the SAP Portal, and the process ERS uses to collect information to fulfill its data security requirements.


The SAP Policy


At the recommendation of the ICSP, the SAP Policy establishes the SAP to be implemented by statistical agencies and units and incorporates directives from the Evidence Act. The policy is intended to provide guidance as to the application and review processes using the SAP Portal, setting forth clear standards that enable statistical agencies and units to implement a common application form and a uniform review process. The SAP Policy may be found in OMB Memorandum 23-04.


Method of Collection


The SAP Portal

The SAP Portal is an application interface connecting applicants seeking data with a catalog of metadata for data assets owned by the federal statistical agencies and units. The SAP Portal is not a new data repository or warehouse; confidential data assets will continue to be stored in secure data access facilities owned and hosted by the federal statistical agencies and units. The Portal will provide a streamlined application process across agencies, reducing redundancies in the application process. This single SAP Portal will improve the process for applicants, tracking and communicating the application process throughout its lifecycle. This reduces redundancies and burden on applicants who request access to data from multiple agencies. The SAP Portal will automate key tasks to save resources and time and will bring agencies into compliance with the Evidence Act statutory requirements.


Data Discovery

Individuals begin the process of accessing restricted use data by discovering confidential data assets through the SAP metadata catalog maintained by federal statistical agencies at www.researchdatagov.org. Potential applicants can search by agency, topic, or keyword to identify data of interest or relevance. Once they have identified data of interest, applicants can view metadata outlining the title, description or abstract, scope and coverage, and detailed methodology related to a specific data asset to determine its relevance to their research.


While statistical agencies and units shall endeavor to include information in the SAP metadata catalog on all confidential data assets for which they accept applications, it may not be feasible to include metadata for some data assets (e.g., potential special tabulations of administrative data). A statistical agency or unit may still accept an application through the SAP Portal even if the requested data asset or special tabulation is not listed in the SAP metadata catalog.


SAP Application – Researcher Information

Individuals who have identified and wish to access confidential data assets can apply for access through the SAP Portal at www.researchdatagov.org. Applicants must create an account and follow all steps to complete the application. Applicants begin by entering their personal, contact, and institutional information, as well as the personal, contact, and institutional information of all individuals on their research team.


SAP Application – Research Description

Applicants provide summary information about their proposed project to include project title, duration, funding, and timeline. Other details provided by applicants include the data asset(s) they are requesting and any proposed linkages to data not listed in the SAP metadata catalog, including non-federal data sources. Applicants then enter detailed information regarding their proposed project, including a project abstract, research question(s), list of references, research methodology, project products, and requested output. Within the application, applicants must demonstrate a need for confidential data, outlining why their research question cannot be answered using publicly available information.



Submission for Review

Upon submission of their application, applicants will receive a notification that their application has been received and is under review by the data-owning agency or agencies (in the event where data assets are requested from multiple agencies). During the application process, applicants are informed that application approval alone does not grant access to confidential data, and that, if approved, applicants must comply with the data-owning agency’s security requirements outside of the SAP Portal, which may include a background check.


Data discovery, the SAP application process, and the submission for review take place within the web-based SAP Portal.


Access to Confidential Data

In the event of a positive determination, the applicant will be notified that their proposal has been accepted. The positive or final adverse determination concludes the SAP Portal process. In the instance of a positive determination, the data-owning agency (or agencies) will contact the applicant to provide instructions on the agency’s security requirements that must be completed by the applicant to gain access to the confidential data. The completion and submission of the agency’s security requirements will take place outside of the SAP Portal.


Collection of Information for Data Security Requirements

In the instance of a positive determination for an application requesting access to an ERS-owned confidential data asset, ERS will contact the applicant(s) to initiate the process of collecting information to fulfill its data security requirements. This process allows ERS to place the applicant(s) in a trusted access category and includes the collection of the following information from applicant(s):


  • CIPSEA Training: ERS personnel provide a Security Briefing to all applicants who were approved access to restricted data. The Briefing includes information on the Confidential Information Protection and Statistical Efficiency Act of 2018, Title III of Public Law 115-435, codified in 44 U.S.C. Ch. 35 and other applicable Federal laws that protect the restricted data. Researchers will be asked to fill out the CIPSEA Review Form to verify that they reviewed the training.


  • Completion of form Certification and Restrictions on the Use of Confidential ERS Data. This form is required to be signed by researchers who have been approved to access unpublished ERS data (alternatively, some approved researchers complete on-line training in lieu of completing this form). The form contains excerpts of the various laws that apply to the unpublished data being provided to the researcher. The form explains the restrictions associated with the unpublished data and includes a place for the research to sign the form, thereby acknowledging the restrictions and agreeing to abide by them.



  • Completion of ERS Data Remote Workplace Security Inspection Checklist. Researchers approved to access unpublished ERS data do so using a secure data enclave environment accessible at their own location. An ERS employee performs a site inspection (either in-person or via a video call) of the researcher's location prior to the researcher being granted access to the unpublished data. During the site inspection, the ERS employee administers the form ERS Site Inspection Checklist, which asks questions pertaining to the suitability of the location for restricted data access and some of the policies associated with accessing the restricted data. The form also collects information about the computer the researcher will use to access the ERS data enclave.


  • Completion of ERS Memorandum of Understanding (MOU). Researchers approved to access unpublished ERS data need to complete a Memorandum of Understanding Agreement between the Economic Research Service and their university, institution, or agency. The form establishes data access protocols and party responsibilities. If necessary, researchers may request an extension to their MOU using the Extension of MOU Request Form.


  • Completion of ERS Project Agreement. This form captures the agreement for the scope of the research project including: defining the explicit economic hypotheses and questions to be addressed; demonstrating the relevance of the proposed research to the broad purposes for which the data were developed; establishing the merits and contributions of the proposed research to the academic literature and to the specific information needs of policymakers; explaining the research methodology; and describing how the analytic results will be presented—including planned table shells, charts, and figures, as well as planned peer-reviewed publications. For research projects that are required to use the SAP, the Portal Application contains a significant amount of the required information and may be appended to the form.


  • If a researcher wishes to add a new researcher to their previously approved project, they can fill out the Amendment for New Collaborators. If a researcher wishes to change the scope of a previously approved project, they may fill out the Request for Amended Project Agreement Form.



Authorization

This collection is authorized by The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), as reauthorized and expanded in Title III of the Foundations for Evidence-Based Policymaking Act of 2018 (Evidence Act), Pub. L. No. 115-435, tit. III, 132 Stat. 5544 (Jan. 14, 2019).




  1. Needs and Uses


The Paperwork Reduction Act (PRA) seeks to maximize the usefulness of information created, collected, maintained, used, shared, and disseminated by or for the federal government while also ensuring the greatest possible public benefit from such information. The PRA moreover mandates that the disposition of information by or for the federal government is consistent with laws related to privacy and confidentiality. ERS’s data security agreements ensure that ERS is compliant with PRA requirements.


Data collected, accessed, or acquired by statistical agencies and units is vital for developing evidence on conditions, characteristics, and behaviors of the public and on the operations and outcomes of public programs and policies. Access to confidential data on businesses, households, and individuals from federal statistical agencies and units enables agencies, the Congressional Budget Office, State, local, and Tribal governments, researchers, and other individuals to contribute evidence-based information to research and policy questions on economic, social, and environmental issues of national, regional, and local importance. This evidence can benefit the stakeholders in the programs, the broader public, as well as policymakers and program managers at the local, State, Tribal, and National levels.

Many applicants will be academic research faculty or students at U.S. universities or other types of research institutions. Other applicants are likely to include analysts at nonprofit organizations and research groups in U.S. Government organizations (Federal, State, local, and Tribal). Scientific research typically results in papers presented at scientific conferences and published in peer-reviewed academic journals, working paper series, monographs, and technical reports. The scientific community at large benefits from the additions to knowledge resulting from research with statistical agencies and units’ data. Results inform both scientific theory and public policy and can assist agencies in carrying out their missions.


Approved applicants using confidential data can provide insights on how statistical agencies and units may improve the quality of the data collected or acquired; identify shortcomings of current data collection programs and data processing methods; document new data needs; and develop methods to address survey nonresponse or improve statistical weights.


  1. Use of Information Technology


ERS will contact individuals whose approved applications requesting access to ERS’s confidential data via email. Applicants complete ERS’s required forms and resubmit by email.


  1. Efforts to Identify Duplication


ERS is required by law to maintain careful controls on confidentiality and limit disclosure risk. Its security forms are required for each approved research project to ensure minimal disclosure risk of ERS’s confidential data. ERS has reviewed its security requirements to eliminate duplication.


  1. Impact on Small Entities


Small businesses or their representatives may choose to participate in this voluntary collection of information. The burden of this collection does not represent a significant barrier to participation from small businesses and is not large enough to pose significant costs to respondents, including small businesses.


  1. Consequences of Less Frequent Collection


ERS requires and collects information for its security forms for all individuals who will access data and output that has not been cleared for disclosure review. Less frequent collection would compromise ERS’s ability to secure its confidential data.


  1. Special Circumstances


There are no special circumstances.


  1. Consultations Outside the Agency


On 12/23/2022, ERS published a notice in the Federal Register (87 FR 78913) inviting the public and other federal agencies to comment on plans to submit this request. ERS received no comments. This ICR was created in collaboration with the SAP Interagency Working Group which consisted of all Federal Statistical Agencies.

  1. Paying Respondents


No payments or gifts are given to holders of user accounts in the system.


  1. Assurance of Confidentiality


All personal identifiers are protected under the Privacy Act of 1974 and ERS’s confidentiality privacy and practices.


  1. Justification for Sensitive Questions


ERS will be collecting contact information from applicants, as well as information necessary to make any security determinations. Information will only be used for those two purposes.


  1. Estimate of Hour Burden


The amount of time to complete the agreements and other paperwork that comprise ERS’s security requirements will vary based on the confidential data assets requested. To obtain access to ERS confidential data assets, it is estimated that the average time to complete and submit ERS’s data security agreements and other paperwork is 287 minutes. This estimate does not include the time needed to complete and submit an application within the SAP Portal. All efforts related to SAP Portal applications occur prior to and separate from ERS’s effort to collect information related to data security requirements.


The expected number of applications in the SAP Portal that receive a positive determination from ERS in a given year may vary. Overall, per year, ERS estimates it will collect data security information for 20 application submissions that received a positive determination within the SAP Portal. ERS estimates that the total burden for the collection of information for data security requirements over the course of the three-year OMB clearance will be about 288 hours and, as a result, an average annual burden of 96 hours.


  • Type of submission: Security documents and paperwork

  • Average project submission time: 287 minutes

  • Annual number of security form submissions: 20 projects, estimated 40 researchers

  • Total burden hours over the three-year OMB clearance: 3 years x 287 minutes x 20 =288 hours

  • Annual burden hours over the three-year OMB clearance: 288 hours/3 years = 96 hours


The total cost to applications requesting access to ERS data for the 288 total burden hours is estimated to be $10,108.80.

This estimate is based on an estimated median annual salary of $73,000 per applicant.1 Assuming a 40-hour workweek and a 52-week salary, this annual salary translates to an hourly salary of $35.10. Over the three-year OMB clearance period, the average annual cost to the public for ERS’s security forms is estimated to be $3,369.60.













Document

Time to complete per project

Total yearly burden (20 projects)

CIPSEA Training

60 minutes

20 hours

ERS Site Inspection

30 minutes

10 hours

Confidentiality Agreement

30 minutes

10 hours

MOU

60 minutes

20 hours

Project Agreement

10 minutes (est. 50% data users); 180 minutes (projects for which the SAP does not apply – est. 50% data users)

32 hours

Extension of MOU Request

0 minutes (Optional form; 60 mins. @ 5% chance of 20)

1 hours

Request for Amended Project Agreement Form

0 minutes (Optional form; 60 mins. @ 5% chance of 20)

1 hours

Amendment for New Collaborators Form

0 minutes (Optional form; 60 mins. @ 10% chance of 20)

2 hours

Total burden

287 minutes

96 hours



  1. Estimate of Cost Burden


Not applicable. ERS does not impose any fees, charges, or costs to individuals submitting ERS’s security forms.


  1. Cost to Federal Government


We estimate the average annual cost to the Federal Government for the collection and review of ERS’s security documents to be approximately $23,356.39 per year for Fiscal Years 2023, 2024, and 2025. These figures are based on required contractual and staff resources necessary to collect and review documents given the expected annual number of submitted applications.


  1. Reason for Change in Burden


This is a new data collection resulting in a program change of 96 burden hours.


  1. Project Schedule


The information provided by applicants to ERS is received on an ongoing basis and is not subject to any schedule. Users provide information voluntarily and at their discretion.


  1. Request to Not Display Expiration Date


The expiration date of OMB approval will be displayed on ERS’s security forms.


  1. Exceptions to the Certification


There are no exceptions.


B. Collections of Information Employing Statistical Methods


Not applicable. Because applications requesting access to ERS data are voluntary, this information collection will not employ statistical methods.  

1Applicant salary estimates were based on annual median salary estimates for employed college graduates using data from the 2019 National Survey of College Graduates.

  

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
Authorholly002
File Modified0000-00-00
File Created2024-07-20

© 2024 OMB.report | Privacy Policy