Download:
pdf |
pdfVersion Number: 01-2021
U.S. Department of Commerce
National Oceanic & Atmospheric Administration
Privacy Impact Assessment
for the
NOAA4700
Alaska Region
Reviewed by:
Mark Graff
Bureau Chief Privacy Officer
܆Concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
✔
܆Non-concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
CHARLES CUTSHALL
Digitally signed by CHARLES CUTSHALL
Date: 2025.03.18 12:00:40 -04'00'
Signature of Senior Agency Official for Privacy/DOC Chief Privacy Officer
3/18/2025
Date
�Version Number: 01-2021
U.S. Department of Commerce Privacy Impact Assessment
NOAA/NMFS/Alaska Region
Unique Project Identifier: NOAA4700
Introduction: System Description
Provide a brief description of the information system.
The Alaska Region (AKR) of NOAA Fisheries is one of the six regional offices of NOAA’s
National Marine Fisheries Service, and oversees sustainable fisheries that produce about half the
fish caught in US waters, with responsibilities covering 842,000 square nautical miles off Alaska.
The Alaska Region also works to ensure the viability of protected species—principally marine
mammals—and to protect and enhance Alaska's marine habitat.
NOAA4700 is a general support system that supports the AKR’s mission with the following major
applications:
•
Office automation;
•
Public interface via the Internet; and
x
Fisheries information management, including permits and catch accounting.
Address the following elements:
(a) Whether it is a general support system, major application, or other type of system
The NMFS Alaska Region Local Area Network (LAN) NOAA4700 is one of NOAA’s general
support systems (GSS), an interconnected information resource under direct management
control with shared common functionality. NOAA4700 is a GSS that supports the AKR’s
mission with the following major applications: office automation; public interface via the
Internet; and fisheries information management, including permits and catch accounting.
(b) System location
Alaska Region has three offices located in the following locations
Juneau Federal Building - Juneau, AK
Anchorage Federal Building - Anchorage, AK
Remote Office, Dutch Harbor - AK
(c) Whether it is a standalone system or interconnects with other systems (identifying and
describing any other systems to which it interconnects)
Alaska Region has interconnect agreements with the following:
Ŷ Elandings application
Ŷ NOAA4000 – eDiscovery Application
�Version Number: 01-2021
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
NOAA4000 – Enterprise Storage Area Network (SAN)
NOAA0550 – Fisheries WAN and Enterprise Services
NOAA4000 – OLE Headquarters
NOAA4000 – UDC37J National Permit System – BOF Site
NOAA4800 – Alaska Fisheries Science Center (AKFSC) Network
NOAA4020, Science and Technology, Network encryption
NOAA4600, NOAA Seattle Local Area Network, Network encryption
(d) The way the system operates to achieve the purpose(s) identified in Section 4
Personnel/Contracting:
0B
In the course of daily business, the following information is routinely collected and maintained
on AKR federal employees and contractors:
x
x
x
x
x
x
x
x
x
Employee/Contractor Name
Address
Date of birth
Social Security Number
Business Email
Business Address
Business Phone Number
Alternate phone number (i.e. cell phone)
Physical Characteristics
This information is used for:
x
x
x
x
x
x
x
x
x
x
Security investigations
Federal employee personnel actions
Federal employee performance reviews
Federal employee payroll
Federal employee awards
HSPD-12 Common Access Cards
Recall and notifications for continuity planning
Incident response plan and outage notification/escalation
Account management processes
(i.e. Requesting accounts, approving accounts, terminating accounts etc.)
NOAA Staff Directory
Strandings: The AKR collects and compiles data about marine mammal strandings
throughout Alaska. The network is composed of state and federal wildlife and
fisheriesagencies, veterinary clinics, Alaska Native organizations, academic
institutions, and individuals who respond to or provide professional advice on
handling strandings.
Information collected includes:
Ŷ
Ŷ
Ŷ
Name
Telephone Number
Email
Permitting: In order to manage U.S. fisheries, the NOAA Fisheries requires the use of
�Version Number: 01-2021
permits or registrations by participants in the United States. Information in the
NOAA4700system consists of contents of permit applications and related documents,
such as permit transfers and percentage of ownership in a corporation. A typical
transaction is an initial orrenewal permit application: the permit holder or applicant
completes an application downloaded from the AKR website, submits it to the AKR by
mail, along with any required supporting documentation and/or required fee payment,
and receives a new permitonce approved by the AKR. AKR also provides the option of
online submission of permit applications and related information, via secure web pages.
Note: submission by mail cannot immediately be eliminated, as the option is included in
the applicable regulations.
The following information may be collected:
x
x
x
x
x
x
x
x
Name
Address
Date of birth
Social Security Number/Tax Identification Number
Marriage certificates
Divorce decrees
Death certificates
Vessel name
eDiscovery Application: The eDiscovery Platform system is a web-based application
used to simplify agency response to Freedom of Information Act (FOIA) requests, aid
in the processing Administrative Records (AR), and to a lesser extent, Congressional
Inquiries.
(e) How information in the system is retrieved by the user
Information is retrieved by the user using a combination of Database Links, Web Based
Applications, and File Format Applications (*Word, Excel, Etc.) over the NOAA4700 system
andvarious web access applications available via the Internet.
(f) How information is transmitted to and from the system
Information is transmitted across approved encryption protocols such as HTTPS, SSH, and
SSL.Sensitive data transmissions are encrypted according to NIST 800-18, Federal Information
Processing Standards (FIPS) 186, Digital Signature Standard and FIPS 180-1, and Secure Hash
Standard issued by NIST when necessary.
(g) Any information sharing
Personnel/Contracting,
In the course of daily business, the following information is routinely collected
andmaintained on AKR federal employees and contractors:
�Version Number: 01-2021
x
x
x
x
x
x
x
x
Employee/Contractor Name
Address
Date of birth
Social Security Number
Business Email
Business Address
Business Phone Number
Alternate phone number (i.e. cell phone)
This information is used for:
x
x
x
x
x
x
x
x
x
x
Security investigations
Federal employee personnel actions
Federal employee performance reviews
Federal employee payroll
Federal employee awards
HSPD-12 Common Access Cards
Recall and notifications for continuity planning
Incident response plan and outage notification/escalation
Account management processes
(i.e. Requesting accounts, approving accounts, terminating accounts etc.)
NOAA Staff Directory
Permitting:
In order to manage U.S. fisheries, the NOAA Fisheries requires the use of permits
or registrations by participants in the United States. Information in the NOAA4700
system consists of contents of permit applications and related documents, such as
permit transfersand percentage of ownership in a corporation. A typical transaction
is an initial or renewalpermit application: the permit holder or applicant completes
an application downloaded from the AKR website, submits it to the AKR by mail,
along with any required supportingdocumentation and/or required fee payment, and
receives a new permit once approved by the AKR. AKR also provides the option of
online submission of permit applications and related information, via secure web
pages. Note: submission by mail cannot immediately be eliminated, as the option is
included in the applicable regulations.
The following information may be collected:
• Name
• Address
• Date of birth
• Social Security Number/Tax Identification Number
• Marriage certificates
• Divorce decrees
• Death certificates
• Vessel name
�Version Number: 01-2021
Information is shared within the AKR in order to coordinate monitoring and
management of sustainability of fisheries and protected resources (see next
paragraphfor additional sharing information). Sources of information include
the permit applicant/holder, other NMFS offices, the U.S. Coast Guard, and the
Pacific States Marine Fisheries Commission (PSMFC).
Information may also be disclosed:
•
At the state or interstate level within the PSMFC for the purpose of comanaging a fishery or for making determinations about eligibility for
permitswhen state data are all or part of the basis for the permits.
•
To the North Pacific Fishery Management Council staff and contractorstasked
with development of analyses to support Council decisions about Fishery
Management Programs.
•
To the International Pacific Halibut Commission (IPHC) for the purposes of
identifying current permit owners and vessels pursuant to applicable statutes
or regulations and/or conservation and management measures adopted by
theIPHC.
•
To the public: Vessel Owner Name, Name of Vessel and Permit Number are
madepublically available through our website. Notice of this is given on the
permit application. We also allow other regions, centers and state
organizations access to the publically available information directly from
our database through a secure connection. This information is considered
part of the public domain.
Strandings
The AKR collects and compiles data about marine mammal strandings throughout Alaska.
Thenetwork is composed of state and federal wildlife and fisheries agencies, veterinary
clinics, Alaska Native organizations, academic institutions, and individuals who respond to
or provide professional advice on handling strandings.
Information collected includes:
• Name
• Telephone Number
• Email
Strandings information including reporter’s contact information may be shared with
membersof the AKR Strandings Network including:
• Alaska
Ŷ Alaska Consortium of Zooarchaeologists
Ŷ Alaska Department of Fish and Game
Ŷ Alaska Sea Grant Marine Advisory Program
Ŷ Alaska Sealife Center
Ŷ Alaska Veterinary Pathology Services
Ŷ The Alaska Whale Foundation
�Version Number: 01-2021
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Ŷ
Aleut Community of St. Paul and Fur Seal Disentanglement Project
Rachel Berngartt, DVM
Chicago Conservation Council
Glacier Bay National Park and Preserve
NOAA Fisheries Alaska Region
North Slope Borough
The Petersburg Marine Mammal Center
Sitka Sound Science Center
University of Alaska Southeast, Juneau
University of Alaska Southeast, Sitka
University of Alaska Fairbanks, Marine Advisory Program
University of Alaska Fairbanks, Museum of the North
U.S. Fish and Wildlife Service, Alaska Region
U.S. Forest Service, Alaska
• National
Ŷ Marine Mammal Health and Stranding Response Program
Ŷ Prescott Marine Mammal Rescue Assistance Grant Program
Ŷ Unusual Marine Mammal Mortality Events Working Group
• Research
Ŷ National Marine Mammal Laboratory
Ŷ University of Alaska Museum Specimen Database (external website)
eDiscovery Application: The eDiscovery Platform system is a web-based
applicationused to simplify agency response to Freedom of Information Act
(FOIA) requests, aidin the processing Administrative Records (AR), and to a
lesser extent, Congressional Inquiries.
(h) The specific programmatic authorities (statutes or Executive Orders) for collecting,
maintaining, using, and disseminating the information
Personnel/Contracting: 5 U.S.C. 1301.
2B
Permitting:
Ŷ Magnuson-Stevens Fishery Conservation and Management Act
Ŷ The High Seas Fishing Compliance Act
Ŷ The American Fisheries Act
Ŷ The Northern Pacific Halibut Act
Ŷ The Marine Mammal Protection Act
Ŷ The Endangered Species Act
Ŷ Fur Seal Act
Ŷ The authority for the mandatory collection of the Tax Identification Number is 31
U.S.C. 7701.
Stranding:
3B
�Version Number: 01-2021
Ŷ
Ŷ
Ŷ
The Marine Mammal Protection Act
The Endangered Species Act
Fur Seal Act.
Other:
Ŷ Freedom of Information Act, 5 U.S.C. 552; Privacy Act of 1974 as amended, 5
U.S.C.552a; 5 U.S.C. 301, and 44 U.S.C. 3101.
Ŷ Executive Orders 10450, 11478, 12065, 5 U.S.C. 301 and 7531- 332; 15 U.S.C.
1501 et. seq.; 28 U.S.C. 533-535; 44 U.S.C. 3101; and Equal Employment Act
of 1972.
Ŷ 42 U.S.C. 3211; 31 U.S.C. 240; 28 U.S.C. 533-535 and 1346(b); 15 U.S.C. 277 and
278e(b); E.O. 10450; E.O. 11478, as amended and all other authorities of the
Department.
Ŷ E.O. 12107, E.O. 13164, 41 U.S.C. 433(d); 5 U.S.C. 5379; 5 CFR Part 537; DAO 202957; E.O. 12656; Federal Preparedness Circular (FPC) 65, July 26, 1999; DAO 210110; Executive Order 12564; Public Law 100-71, dated July 11, 1987
(i) The Federal Information Processing Standards (FIPS) 199 security impact category for the
system
NOAA4700 is a FIPS 199 Moderate impact system.
�Version Number: 01-2021
Section 1: Status of the Information System
1.1
Indicate whether the information system is a new or existing system.
This is a new information system.
This is an existing information system with changes that create new privacy risks.
(Check all that apply.)
Changes That Create New Privacy Risks (CTCNPR)
a. Conversions
d. Significant Merging
b. Anonymous to Non- Anonymous
e. New Public Access
c. Significant System
f. Commercial Sources
Management Changes
j. Other changes that create new privacy risks (specify):
g. New Interagency Uses
h. Internal Flow or
Collection
i. Alteration in Character
of Data
This is an existing information system in which changes do not create new privacy
risks, and there is not a SAOP approved Privacy Impact Assessment.
X
This is an existing information system in which changes do not create new privacy
risks, and there is a SAOP approved Privacy Impact Assessment.
Section 2: Information in the System
2.1
Indicate what personally identifiable information (PII)/business identifiable information
(BII) is collected, maintained, or disseminated. (Check all that apply.)
Identifying Numbers (IN)
x
x
a. Social Security*
f. Driver’s License
j. Financial Account
x
x**
b. Taxpayer ID
g. Passport
k. Financial Transaction
x
c. Employer ID
h. Alien Registration
l. Vehicle Identifier
x
d. Employee ID
i. Credit Card
m. Medical Record
x
e. File/Case ID
n. Other identifying numbers (specify):
Captain’s license, State and Federal Dealer Numbers (if applicable), permit or license numbers for Federal or state
permit/licenses issued and start and end dates and other permit status codes, vessel registration number.
*Explanation for the business need to collect, maintain, or disseminate the Social Security number, including
truncated form:
Social Security and tax identification numbers as well as employee ID are all required for the hiring and
employment process in order to conduct background checks, issue ID, and file proper tax documents for the
Federal Employee or Contractor.
Social Security numbers and tax identification numbers (TIN) allow positive identification for cost recovery
billing of IFQ holders. Also, as stated in COMMERCE/NOAA-19, a TIN is required on all permit applications
other than research or exempted fishing permits, under the authority 31 U.S.C. 7701. For purposes of
administering the various NMFS fisheries permit and registration programs, a person shall be considered to be
�Version Number: 01-2021
doing business with a Federal agency including, but not limited to, if the person is an applicant for, or recipient
of, a Federal license, permit, right-of-way, grant, or benefit payment administered by the agency or insurance
administered by the agency pursuant to subsection (c) (2) (B) of this statute.
**Financial transactions are for cost recovery in catch share programs. Cost recovery is a means by which NMFS
recovers administrative costs, by charging a set percentage of the ex-vessel value each year. The ex-vessel value
is the post-season adjusted price per pound for the first purchase of commercial harvest. Certain items under
“Other Information” are components of ex-vessel value.
General Personal Data (GPD)
x
a. Name
h.
b. Maiden Name
i.
c. Alias
j.
x
d. Gender
k.
x
e. Age
l.
f. Race/Ethnicity
m.
g. Citizenship
n.
u. Other general personal data (specify):
Date of Birth
Place of Birth
Home Address
Telephone Number
Email Address
Education
Religion
x
x
x
x
o.
p.
q.
r.
s.
t.
Financial Information
Medical Information
Military Service
Criminal Record
Marital Status
Mother’s Maiden Name
X***
x
Permit applicant, permit holder, permit transferor/transferee, vessel owner, vessel operator, dealer applicant, dealer
permit holder, spouse, former spouse, and descendent.
*** Refers to the transaction and accounts boxes checked in Identifying Numbers.
Work-Related Data (WRD)
a. Occupation
x
e. Work Email Address
x
i.
b.
Job Title
x
f.
x
j.
c.
Work Address
x
g. Work History
x
d.
Work Telephone
Number
x
h. Employment
Performance Ratings or
other Performance
Information
x
l.
Other work-related data (specify):
Salary
Business Associates
Proprietary or Business
Information
k. Procurement/contracting
records
x
x
Other work-related data (specify): Cell phone or other alternate work/contact number, name of
manager/supervisor, vessel name, vessel length overall, name of corporation, state and date of
incorporation of business and articles of incorporation.
This data is required to perform the personnel actions required by the Federal Govt such as:
Security investigations
Federal employee personnel actions
Federal employee performance reviews
Federal employee payroll
Federal employee awards
HSPD-12 Common Access Cards
Recall and notifications for continuity planning
Incident response plan and outage notification/escalation
Account management processes (i.e. Requesting accounts, approving accounts, terminating accounts etc.) NOAA
Staff Directory
�Version Number: 01-2021
Distinguishing Features/Biometrics (DFB)
a. Fingerprints
f. Scars, Marks, Tattoos
b. Palm Prints
g. Hair Color
c. Voice/Audio Recording
h. Eye Color
d. Video Recording
i. Height
e. Photographs
X* j. Weight
p. Other distinguishing features/biometrics (specify):
*Required to be submitted with permit applications
System Administration/Audit Data (SAAD)
x
a. User ID
c. Date/Time of Access
x
b. IP Address
f. Queries Run
g. Other system administration/audit data (specify):
k.
l.
m.
n.
o.
x
x
Signatures
Vascular Scans
DNA Sample or Profile
Retina/Iris Scans
Dental Profile
e. ID Files Accessed
f. Contents of Files
x
x
x
Other Information (specify)
Fishing locations and methods. Catch information to include species, aggregate catch data and statistics,
quota share balance, quota pound balance, quota pound limits, listings of endorsements and designations
(i.e., gear endorsement, size endorsement, sector endorsement, permit tier) associated with the permit,
name of physical IFQ landing site, exemptions (i.e., owner on board - grandfathered exemption, owner
on board, as stated in Code of Federal Regulations) and exemption status, contact persons,
catch/observer discard data, quota share/quota pound transfer data, business operation information
(business processes, procedures, physical maps).
2.2
Indicate sources of the PII/BII in the system. (Check all that apply.)
Directly from Individual about Whom the Information Pertains
x
In Person
Hard Copy: Mail/Fax
Telephone
Email
Other (specify):
Government Sources
Within the Bureau
State, Local, Tribal
Other (specify):
x
Non-government Sources
Public Organizations
Third Party Website or Application
Other (specify):
2.3
x
x
Other DOC Bureaus
Foreign
Private Sector
x
Online
x
Other Federal Agencies
x
Commercial Data Brokers
Describe how the accuracy of the information in the system is ensured.
�Version Number: 01-2021
Accuracy in the NOAA4700 system is maintained using NIST 800-53 controls. By limiting who
canchange and submit the data the reliability and integrity of the information system is ensured.
NOAA4700 utilizes enterprise-wide services to aid in security monitoring, vulnerability scanning,
and secure baseline management. The system also uses a NOAA enterprise service application for
audit log management.
eDiscovery collects data directly from Google Vault extraction in order to retain the parent-child
relationship in email threads.
2.4
Is the information covered by the Paperwork Reduction Act?
Yes, the information is covered by the Paperwork Reduction Act.
Provide the OMB control number and the agency number for the collection.
x
0648-0206, -0213, -0269, - 0272, -0316, -0318, -0334, -0353, -0393, -0401, -0428, -0445, -0512, 0513, -0514, -0515, -0516, -0545, -0564, -0575, -0592, -0665, -0678, -0699, -0700,- 0711, -0330,
-0518, -0565, -0633, -0759, -0766, -0786, and -0792.
No, the information is not covered by the Paperwork Reduction Act.
2.5
Indicate the technologies used that contain PII/BII in ways that have not been previously
deployed. (Check all that apply.)
Technologies Used Containing PII/BII Not Previously Deployed (TUCPBNPD)
Smart Cards
Biometrics
Caller-ID
Personal Identity Verification (PIV) Cards
Other (specify):
x
There are not any technologies used that contain PII/BII in ways that have not been previously deployed.
Section 3: System Supported Activities
3.1
Indicate IT system supported activities which raise privacy risks/concerns. (Check all that
apply.)
Activities
Audio recordings
Video surveillance
Other (specify):
x
Building entry readers
Electronic purchase transactions
There are not any IT system supported activities which raise privacy risks/concerns.
�Version Number: 01-2021
Section 4: Purpose of the System
4.1
Indicate why the PII/BII in the IT system is being collected, maintained, or disseminated.
(Check all that apply.)
Purpose
For a Computer Matching Program
For administrative matters
For litigation
For civil enforcement activities
To improve Federal services online
For web measurement and customization
technologies (single-session)
Other (specify):
x
x
x
x
For administering human resources programs
To promote information sharing initiatives
For criminal law enforcement activities
For intelligence activities
For employee or customer satisfaction
For web measurement and customization
technologies (multi-session)
x
x
Section 5: Use of the Information
5.1
In the context of functional areas (business processes, missions, operations, etc.) supported
by the IT system, describe how the PII/BII that is collected, maintained, or disseminated
will be used. Indicate if the PII/BII identified in Section 2.1 of this document is in
reference to a federal employee/contractor, member of the public, foreign national, visitor
or other (specify).
Personnel/Contracting: PII information is collected for both contractor and federal
employeepersonnel designated to work with AKR. This is information collected for several
administrative and business functions for the AKR:
•
Security investigations
•
Federal employee personnel actions
•
Federal employee performance reviews
•
Federal employee payroll
•
Federal employee awards
•
HSPD-12 Common Access Cards
•
Recall and notifications for continuity planning
•
Incident response plan and outage notification/escalation
•
Account management processes (i.e. Requesting accounts, approving accounts,
terminating accounts etc.)
•
NOAA Staff Directory
Permitting: This information will allow NMFS to identify owners and holders of permits
andnon-permit registrations and vessel owners and operators for both civil and criminal
enforcement activities, evaluate permit applications, and document agency actions relating
to the issuance, renewal, transfer, revocation, suspension or modification of a permit or
�Version Number: 01-2021
registration. NMFS may use lists of permit holders or registrants as sample frames for the
conduct of surveys to collect information necessary to the administration of the applicable
statutes (see NOAA-19 SORN).
NMFS may post non-sensitive permit holder, vessel-related, and/or IFQ information for
thepublic, via Web sites and Web Services, per notice given on permit applications. This
information is considered to be part of the public domain.
Strandings: Stranded animals may provide information on geographical distribution,
feeding habits, reproduction, age distribution, diseases, parasites, and contaminant levels. If
strandings are reported quickly, the network also may facilitate the rapid identification of
mass mortalitiesor strandings caused by disease or toxicity/pollution problems. By
conducting necropsies on dead stranded animals, it is also possible to learn more about the
basic physiology and biology of animals not accessible in the wild or by any other means.
Necropsies also have provided data on the incidence of human interactions including ship
strikes, shootings, entanglements, and marine debris ingestions. These data help NMFS to
make better management decisions about these stocks of marine mammals.
Without authorization from NMFS, the public cannot pick up stranded marine mammals.
However, assistance in documenting the incident is helpful and will allow stranding
networkmembers to respond. The most important information to collect is the date,
location of stranding (including latitude and longitude), number of animals and species, if
known
eDiscovery Application: The information is used in the review process and redacted before
itis released to the requestor. The application does not actually save the data; it only save
the metadata or pointers to the scanned document
5.2
Describe any potential threats to privacy, such as insider threat, as a result of the
bureau’s/operating unit’s use of the information, and controls that the
bureau/operating unit has put into place to ensure that the information is handled,
retained, and disposed appropriately. (For example: mandatory training for
system users regarding appropriate handling of information, automatic purging of
information in accordance with the retention schedule, etc.)
NOAA4700 limits the threats to privacy by limiting access to the content and encrypting the
PII in electronic form. Insider threat is a possibility that is mitigated by requiring that all
users receive yearly training that highlights proper handling of PII. Commonly used forms
list PII items such as Social Security Number with “On File” vs the actual SSN to prevent
the document from being classified as PII. Forms printed with PII material produce a
banner indicating that the material is PII. Files are stored both electronically and on paper in
stored cabinets.
�Version Number: 01-2021
NOAA4700 utilizes enterprise-wide services to aid in security monitoring, vulnerability
scanning, and secure baseline management. The system also uses a NOAA enterprise service
application for audit log management.
There is a risk of inadvertent disclosure of PII/BII through FOIA releases, but employees are
provided training throughout the year to reduce the likelihood of disclosure.
Section 6: Information Sharing and Access
6.1
Indicate with whom the bureau intends to share the PII/BII in the IT system and how the
PII/BII will be shared. (Check all that apply.)
Recipient
Case-by-Case
Within the bureau
DOC bureaus
Federal agencies
State, local, tribal gov’t agencies
Public
Private sector
Foreign governments
Foreign entities
Other (specify):
x
x
X*
x
How Information will be Shared
Bulk Transfer
Direct Access
x
x
x
x
x
x
*For privacy breach, security investigations and CAC
The PII/BII in the system will not be shared.
6.2
Does the DOC bureau/operating unit place a limitation on re-dissemination of PII/BII
shared with external agencies/entities?
x
Yes, the external agency/entity is required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the external agency/entity is not required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the bureau/operating unit does not share PII/BII with external agencies/entities.
6.3
Indicate whether the IT system connects with or receives information from any other IT
systems authorized to process PII and/or BII.
�Version Number: 01-2021
x
Yes, this IT system connects with or receives information from another IT system(s) authorized to
process PII and/or BII.
Provide the name of the IT system and describe the technical controls which prevent PII/BII leakage:
NOAA4000, Network encryption
NOAA4020, Science and Technology, Network encryption
NOAA4600, NOAA Seattle Local Area Network, Network encryption
NOAA4800, Alaska Fisheries Science Center (AKFSC) Network encryption
Elanding, Coop of NMFS, Alaska Department of Fish and game and International Pacific Halibut
Commission
Information is protected by encryption at rest and encryption in transit.
No, this IT system does not connect with or receive information from another IT system(s) authorized to
process PII and/or BII.
6.4
Identify the class of users who will have access to the IT system and the PII/BII. (Check
all that apply.)
Class of Users
General Public
Contractors
Other (specify):
x
x
Government Employees
x
Section 7: Notice and Consent
7.1
Indicate whether individuals will be notified if their PII/BII is collected, maintained, or
disseminated by the system. (Check all that apply.)
x
x
x
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and
discussed in Section 9.
Yes, notice is provided by a Privacy Act statement and/or privacy policy. The Privacy Act statement
and/or privacy policy can be found at: http://www.nmfs.noaa.gov/aboutus/privacy.html
Yes, notice is provided by other means.
Specify how:
Permitting: Notice is provided on the permit or related
application.
Personnel/contracting: Federal Employees/Contractors
voluntarily submits this data as part of the hiring process or the
hiring process cannot be properly conducted. Once the
applicant is hired, and the paperwork is completed (OF-306
etc), copies of these on-boarding documents are provided to the
new employee on day one at the new workstation. He/she is
instructed to retain these for their own records in a fire-proof
safe at his/her own residence. This is the same process followed
NOAA-wide.
eDiscovery Application: The information is redacted as part of
the FOIA review process. This is not the original submission of
the information
�Version Number: 01-2021
No, notice is not provided.
7.2
Specify why not:
Indicate whether and how individuals have an opportunity to decline to provide PII/BII.
x
Yes, individuals have an opportunity to
decline to provide PII/BII.
Specify how:
Personnel/Contracting: Federal employees and
contractors may decline to provide PII/BII in writing
totheir respective supervisor and contracting officer’s
representative, however, doing so may affect the status
of employment and contract.
Permitting: The personal information is collected when
the individual completes the appropriate application. On
the application, the individual is advised that NMFS will
not be able to issue a permit if the individual does not
provide each item of information requested. The individual
may choose to decline to provide the required personal
information at that time, by not completing the application,
but will not be able to receive a permit.
Strandings: Individuals may decline to submit strandings
reports, by not submitting them.
eDiscovery Application: The BII/PII is collected via email as
part of conducting business. This is not the original submission
of the data.
No, individuals do not have an
opportunity to decline to provide
PII/BII.
7.3
Specify why not:
Indicate whether and how individuals have an opportunity to consent to particular uses of
their PII/BII.
x
Yes, individuals have an opportunity to
consent to particular uses of their
PII/BII.
Specify how:
Personnel/Contracting: Employees and Users are
provided with the link to NOAA’s privacy policy where it
states: “Submitting voluntary information constitutes your
consent to the use of the information for the stated
purpose”.
Permitting: Permittees are provided with the link to
NOAA’s privacy policy where it states: “Submitting
voluntary information constitutes your consent to the use of
the information for the stated purpose”.
Strandings: Strandings reporters are provided with the link
to NOAA’s privacy policy where it states: “Submitting
voluntary information constitutes your consent to the use of
the information for the stated purpose”.
�Version Number: 01-2021
No, individuals do not have an
opportunity to consent to particular uses
of their PII/BII.
7.4
eDiscovery Application: The BII/PII is collected via emailas
part of conducting business. This is not the original submission
of the data
Specify why not:
Indicate whether and how individuals have an opportunity to review/update PII/BII
pertaining to them.
x
Yes, individuals have an opportunity to
review/update PII/BII pertaining to
them.
Specify how:
Personnel/Contracting: Individuals may update PII/BII upon
written request to Chief, Operations and Management
Division, Alaska Region, NOAA Fisheries.
Permitting: Information may be reviewed or updated
when completing or renewing a permit application or
supporting document, or by calling or emailing the
applicable NMFS office at any time: 978-282-8438
(information is on permits and permit applications).
No, individuals do not have an
opportunity to review/update PII/BII
pertaining to them.
Strandings: Individuals may update PII/BII upon writtenrequest
to Chief, Protected Resources Division.
Specify why not:
Section 8: Administrative and Technological Controls
8.1
Indicate the administrative and technological controls for the system. (Check all that
apply.)
x
x
x
x
x
x
x
x
x
All users signed a confidentiality agreement or non-disclosure agreement.
All users are subject to a Code of Conduct that includes the requirement for confidentiality.
Staff (employees and contractors) received training on privacy and confidentiality policies and practices.
Access to the PII/BII is restricted to authorized personnel only.
Access to the PII/BII is being monitored, tracked, or recorded.
Explanation: Access to PII in the database is tracked by logging the Oracle database according to
DISAbaselines.
The information is secured in accordance with the Federal Information Security Modernization Act
(FISMA) requirements.
Provide date of most recent Assessment and Authorization (A&A): 2023-11-17
܆This is a new system. The A&A date will be provided when the A&A package is approved.
The Federal Information Processing Standard (FIPS) 199 security impact category for this system is a
moderate or higher.
NIST Special Publication (SP) 800-122 and NIST SP 800-53 Revision 4 Appendix J recommended
security controls for protecting PII/BII are in place and functioning as intended; or have an approved Plan
of Action and Milestones (POA&M).
A security assessment report has been reviewed for the information system and it has been determined
that there are no additional privacy risks.
�Version Number: 01-2021
x
8.2
Contractors that have access to the system are subject to information security provisions in their contracts
required by DOC policy.
Contracts with customers establish DOC ownership rights over data including PII/BII.
Acceptance of liability for exposure of PII/BII is clearly defined in agreements with customers.
Other (specify):
Provide a general description of the technologies used to protect PII/BII on the IT system.
(Include data encryption in transit and/or at rest, if applicable).
The potential risk of inappropriate disclosure and/or unauthorized disclosure is
mitigated by limiting the number of authorized system users. Providing initial and
annual system security training, monitoring authorized user activity, automatic and
immediate notification of unauthorized system access or usage to the system
administrator, documenting user violations, and gradually increasing user reprimands
for system violations ranging from a verbal warning with refresher security training
to denial of system access. Our permitting data is encrypted at rest and our backup
tapes are encrypted.
The information is secured via both administrative and technological controls. PII
and BII are stored on shared drives that require common access card (CAC) for
access. The principle of least privileged and separation of duties is implemented by
AKR to ensure that only personnel with the need to know have access to this
information.
All NMFS personnel and contractors are instructed on the confidential nature of this
information. Through acknowledgement of the NOAA rules of behavior, account
request agreements etc. all users are instructed to abide by all statutory and regulatory
data confidentiality requirements, and will only release the data to authorized users.
Buildings employ security systems with locks and access limits. Only those that
have the need to know, to carry out the official duties of their job, have access to the
data.
Computerized data base is password protected, and access is limited. Paper
records are maintained in secured file cabinets in areas that are accessible only to
authorized personnel of NOAA4700.
eDiscovery is encrypted at rest and in transit (through the use of Kiteworks) before
ingest into Clearwell.
Section 9: Privacy Act
9.1
Is the PII/BII searchable by a personal identifier (e.g,, name or Social Security number)?
�Version Number: 01-2021
x
Yes, the PII/BII is searchable by a personal identifier.
No, the PII/BII is not searchable by a personal identifier.
9.2
Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. §
552a. (A new system of records notice (SORN) is required if the system is not covered by
an existing SORN).
As per the Privacy Act of 1974, “the term ‘system of records’ means a group of any records under the control of any agency from
which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular
assigned to the individual.”
x
Yes, this system is covered by an existing system of records notice (SORN).
Provide the SORN name, number, and link. (list all that apply):
Security or Privacy Breach: COMMERCE/DEPT-13, Investigation and Security Information
Personnel/Contracting: COMMERCE/DEPT-18, Employees Personnel Files Not Covered by Notices of
Agencies.
Permitting: NOAA-19, Permits and Registrations for United States Federally Regulated Fisheries.Strandings:
Information is not retrieved by individual name or identifying number.
eDiscovery Application: COMMERCE/DEPT-5, Freedom of Information Act and Privacy Act Request Records
COMMERCE/DEPT-14, Litigation, Claims, and Administrative Proceeding Records
COMMERCE/DEPT-25, Access Control and Identity Management System
OPM/GOVT-1, General Personnel Records
COMMERCE/DEPT-31, Public Health Emergency Records of Employees, Visitors, and Other Individuals at
Department Locations
Yes, a SORN has been submitted to the Department for approval on (date).
No, this system is not a system of records and a SORN is not applicable.
Section 10: Retention of Information
10.1 Indicate whether these records are covered by an approved records control schedule and
monitored for compliance. (Check all that apply.)
x
There is an approved record control schedule.
Provide the name of the record control schedule:
(Personnel Files) and Chapter 1500: 1505-11, 1507-11, and 1514-01
No, there is not an approved record control schedule.
Provide the stage in which the project is in developing and submitting a records control schedule:
x
Yes, retention is monitored for compliance to the schedule.
No, retention is not monitored for compliance to the schedule. Provide explanation:
10.2 Indicate the disposal method of the PII/BII. (Check all that apply.)
Disposal
Shredding
Degaussing
Other (specify):
x
x
Overwriting
Deleting
x
x
�Version Number: 01-2021
Section 11: NIST Special Publication 800-122 PII Confidentiality Impact Level
11.1 Indicate the potential impact that could result to the subject individuals and/or the
organization if PII were inappropriately accessed, used, or disclosed. (The PII
Confidentiality Impact Level is not the same, and does not have to be the same, as the
Federal Information Processing Standards (FIPS) 199 security impact category.)
x
Low – the loss of confidentiality, integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.
Moderate – the loss of confidentiality, integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or individuals.
High – the loss of confidentiality, integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational assets, or individuals.
11.2 Indicate which factors were used to determine the above PII confidentiality impact level.
(Check all that apply.)
Identifiability
Provide explanation:
x
Quantity of PII
x
Data Field Sensitivity
Provide explanation: For permitting, the AKR maintains a
significant quantity ofsensitive PII.
Provide explanation: The AKR maintains sensitive PII, especially
Social Securitynumbers and tax identification numbers
Provide explanation:
Context of Use
x
Obligation to Protect Confidentiality
x
Access to and Location of PII
Other:
Provide explanation: Permits data confidentiality is authorized by
the Magnuson-Stevens Fishery Conservation and Management Act.
Provide explanation: Sensitive data is encrypted at rest and access
is also restricted.
Provide explanation:
Section 12: Analysis
12.1 Identify and evaluate any potential threats to privacy that exist in light of the information
collected or the sources from which the information is collected. Also, describe the
choices that the bureau/operating unit made with regard to the type or quantity of
information collected and the sources providing the information in order to prevent or
mitigate threats to privacy. (For example: If a decision was made to collect less data,
include a discussion of this decision; if it is necessary to obtain information from sources
other than the individual, explain why.)
There are no obvious threats to privacy that exist from the sources or type of
�Version Number: 01-2021
information collected. Alaska Region collects the minimum amount of sensitive
information that is required to complete the mission.
NOAA4700 utilizes enterprise-wide services to aid in security monitoring,
vulnerabilityscanning, and secure baseline management. The system also uses a
NOAA enterprise service application for audit log management.
12.2 Indicate whether the conduct of this PIA results in any required business process changes.
Yes, the conduct of this PIA results in required business process changes.
Explanation:
x
No, the conduct of this PIA does not result in any required business process changes.
12.3 Indicate whether the conduct of this PIA results in any required technology changes.
Yes, the conduct of this PIA results in required technology changes.
Explanation:
x
No, the conduct of this PIA does not result in any required technology changes.
�Version Number: 01-2021
Points of Contact and Signatures
Information System Security Officer or
System Owner
Information Technology Security Officer
Name: David Hanson
Office: NMFS-AKR
Phone: 907-586-7054
Email: david.hanson@noaa.gov
Name:
Office:
Phone:
Email:
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
HANSON.DAVI
D.WAYNE.1043
Date signed: 191590
Privacy Act Officer
Signature:
Name:
Office:
Phone:
Email:
Digitally signed by
HANSON.DAVID.WAYNE.10
43191590
Date: 2024.11.13 13:36:02
-09'00'
Catherine Amores
NMFS
(301) 427-8871
Catherine.Amores@noaa.gov
Signature:
AMORES.CATHERINE.SOLEDAD.1541
314390
Digitally signed by
AMORES.CATHERINE.SOLEDAD.1541314390
Date: 2024.12.03 12:28:02 -05'00'
Date signed:
Authorizing Official
Robin Burress
NOAA OCIO
828-271-4695
Robin.Burress@noaa.gov
Name: Jamal Moss
Office: NMFS-AKR
Phone: (907) 586-7221
Email: Jamal.Moss@noaa.gov
I certify that the appropriate authorities and SORNs (if applicable)
are cited in this PIA.
signed by
BURRESS.RO Digitally
BURRESS.ROBIN.SUR
BIN.SURRET RETT.1365847696
Date: 2024.12.13
Date signed: T.1365847696 12:12:01 -05'00'
Signature:
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
Signature:
Date signed:
MOSS.JAMAL.HA
SAN.1365858612
Digitally signed by
MOSS.JAMAL.HASAN.13658
58612
Date: 2024.11.13 15:51:33
-09'00'
Bureau Chief Privacy Officer
Name:
Office:
Phone:
Email:
Mark Graff
NOAA OCIO
301-628-5658
Mark.Graff@noaa.gov
I certify that the PII/BII processed in this IT system is necessary
and this PIA ensures compliance with DOC policy to protect
privacy.
Digitally signed by
GRAFF.MARK.
HYRUM.15144
Date signed: 47892
Signature:
GRAFF.MARK.HYRUM.15
14447892
Date: 2024.12.16 16:54:38
-05'00'
This page is for internal routing purposes and documentation of approvals. Upon final
approval, this page must be removed prior to publication of the PIA.
�
| File Type | application/pdf |
| File Title | NOAA4700 PIA 2024-1203.pdf |
| Author | lmartin1 |
| File Modified | 2025-03-18 |
| File Created | 2024-12-13 |