Download:
pdf |
pdfVersion Number: 01-2021
U.S. Department of Commerce
National Oceanic & Atmospheric Administration
Privacy Impact Assessment
for the
NOAA4400 (SEFSC)
Reviewed by:
Mark Graff
Bureau Chief Privacy Officer
[ Concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
伫
伫 Non-concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
CHARLES CUTSHALL
Digitally signed by CHARLES CUTSHALL
Date: 2024.03.13 16:14:19 -04'00'
Signature of Senior Agency Official for Privacy/DOC Chief Privacy Officer
Date
�Version Number: 01-2021
U.S. Department of Commerce Privacy Impact Assessment
NOAA4400 – Southeast Fisheries Science Center
Unique Project Identifier: NOAA4400
Introduction: System Description
The Southeast Fisheries Science Center (SEFSC) is a general support system that conducts
multi-disciplinary research programs to provide management information to support national
and regional programs of NOAA's National Marine Fisheries Service (NMFS) and to
respond to the needs of Regional Fishery Management Councils, Interstate and International
Fishery Commission, Fishery Development Foundations, government agencies, and the
general public.
The SEFSC provides the scientific advice and data needed to effectively manage the living marine
resources of the Southeast region and Atlantic high seas. We work closely with NOAA Fisheries
Southeast Regional Office to provide independent, objective science. Information within NOAA4400
is collected for research and license and permitting purposes within the SEFSC. However, in the
event of the discovery of criminal activity, or behavior that is in violation of law or regulation,
NOAA4400 may share the information for criminal prosecution or for the enforcement of
administrative or criminal laws and regulations.
Our multidisciplinary research informs natural resource management. Fisheries management
councils, fisheries commissions, and federal, state and local agencies depend on our science to make
decisions that protect and conserve the region’s living marine resources.
Address the following elements:
(a) Whether it is a general support system, major application, or other type of system
SEFSC – FISMA NOAA4400 is a general support system.
(b) System location
SEFSC is headquartered in Miami, FL
(c) Whether it is a standalone system or interconnects with other systems (identifying and
describing any other systems to which it interconnects)
The SEFSC is headquartered in Miami, FL and interconnects with Atlantic Coastal
Cooperative Statistics Program (ACCSP); NOAA0550, NOAA4000; NOAA4200, and
NOAA4300. The NMFS interconnections all connect via the NMFS WAN and are primarily
used for database connections to provide data to NMFS science centers and regional offices;
and as per the connection with ACCSP, all data is encrypted using the oracle native encryption
2
�Version Number: 01-2021
(sqlnet.ora), and TLS. In case the VPN does not work, we have an encrypted connection, and in
case the VPN does not work, we are still protected by using our existing encrypted connection plus the
VPN.
The data being shared amongst these systems consists of aggregated fishery and marine life
data; and minimum PII and BII needed to maintain the system operation. Authorized
personnel use this data for research purposes, and they access this data following access
controls put in place by each system following the guidelines of the current NIST IT Security
standard.
The SEFSC is responsible for scientific research on living marine resources that occupy
marine and estuarine habits of the continental southeastern United States, as well as Puerto
Rico and the U.S. Virgin Islands. The SEFSC is one of the six national marine fisheries
science centers’ responsible for federal marine fishery research programs.
Information within NOAA4400 is collected for research and license and permitting purposes
within the SEFSC. However, in the event of the discovery of criminal activity, or behavior that
is in violation of law or regulation, NOAA4400 may share the information for criminal
prosecution or for the enforcement of administrative or criminal laws and regulations.
(d) The way the system operates to achieve the purpose(s) identified in Section 4
PII/BII in the IT system is being collected, maintained, or disseminated for (a) administrative
matters, (b) civil enforcement activities, and (c) criminal law enforcement activities if needed.
NOAA4400 does not collect SSNs or EINs; however, the organization gathers some minimum
PII as captain’s names, business addresses, and phone numbers, and this information is used
for processes such as (d) compliance - ensuring logbooks are submitted as required; (e)
mailing (logbooks, permits, etc.); (f) uses mailing address of record; (g) providing HMS
regulations and species guides to Atlantic Tournaments; and (h) for online no-fish electronic
reporting - account creation and mailing.
The integration of drones (UAS) into SEFSC Protected Resources and Biodiversity Division
operations allow for additional information to be gathered during operations, including aerial
photo-identification and dorsal photography that allow for assessments of individual organism
growth, health, body condition, and reproductive status and provide more accurate estimates of
group sizes and group membership.
NOAA4400 could also utilize UAS to locate and assess stranded animals in areas difficult to
access. Outside of the protected resources applications, regular or opportunistic UAS
deployments could also be used to identify and, if coupled with acoustic data, determine the
three-dimensional extent and density of schooling pelagic fishes (e.g., menhadens, tunas),
which could ultimately be utilized to estimate the biomass. UAS could also be utilized to
support additional projects yielding data on the marine environment, including on critical
habitats and seawater chemistry, to name a few.
UAS: The use of UAS has the potential for inadvertent collection of PII, such as images of
3
�Version Number: 01-2021
individuals along the coastlines that are within the area of study by the UAS vehicle.
However, no information retrieval using any unique identifier within Survey datasets will be
conducted, and any PII inadvertently collected will be deleted within 30 days. NOAA4400
does not use any application capable of facial recognition within any captured images. It is
anticipated that the UAS collected imagery will be at a resolution to meet organizational
needs, but it would not have the ability (resolution or clarity) to identify any individuals
uniquely.
If the drone goes down during flight, the retrieval of the unit would be at the operator's
discretion based on safety and technical factors. Inadvertently obtained PII captured during the
flight could be retrieved by others if technically possible from the damaged drone. NOAA4400
closely collaborate with OCS, and OCS is compliant with all policies and procedures posted on
the UAS.noaa.gov site along with the NOAA Unmanned Aircraft System Privacy Policy.
(e) How information in the system is retrieved by the user
NOAA4400 has a Fisheries Logbook System (FLS) which collects vessel and captain's names,
numbers of each species caught, the numbers of animals retained or discarded alive or
discarded dead, the location of the set, the types and size of gear, the duration of the set, port of
departure and return, unloading dealer and location, number of sets, number of crew, date of
departure and landing, and an estimate of the fishing time. NOAA4400 collect the job title of
individual completing the logbook, and their telephone numbers as well.
The user retrieves information in the system after following multiple conditions that have been
implemented, system-wide, to restrict the user from selecting incorrect options, including
database fields and values. In addition, after the data is collected and validated, numerous
Quality Assurance Quality Control (QAQC) reports are run to confirm the data's accuracy.
The specific ways a user can retrieve the information are through SQL, SAS, R, Oracle, and
APEX queries. Access to the systems requires special permissions, and the data is encrypted at
rest.
Access to the system is granted based on specific roles and very few users can access the whole
system.
Logs for every operation (no exceptions) are generated, collected, and kept indefinitely,
allowing the reconstruction and analysis of any event that might happen at a particular point.
Operation logs are generated with time and location.
ACCSP pulls data using an encrypted SQLNET connection over a dynamic virtual private
network (VPN) to NOAA Head Quarters (4000).
Data are retrieved by the authenticated end-users and state fisheries administrators through the
ACCSP Warehouse. Federal agencies who have an Interconnect Security Agreement may
retrieve the data from the ACCSP Warehouse or Standard Atlantic Fisheries Information
System (SAFIS) databases, follow agreed-upon secure data transfer protocols, and provide
access to their users through their local data delivery processes appropriate.
4
�Version Number: 01-2021
All internal data and resources are retrieved using Government Furnished Equipment (GFE)
through approved applications to open, review, verify, and securely delete information. Internal
resources are secured through defense-in-depth with layered security such as physical access,
firewalls, active directory, access controls, permission, etc.).
Internal Common Access Card (CAC) authenticated users can utilize (based on permissions)
data stored in PDF, Files, and databases through networked client’s devices and NOAA VPN
service for remote access. NOAA4400 uses Google services for email and collaboration
services.
�I� How information is transmitted to and from the system
All data is encrypted at rest and during transit and is handled by the Database Administrator in�
an Oracle System. The information is secured via both administrative and technological�
controls. Business Identifiable Information (BII) is stored on shared drives that require�
Common Access Card (CAC) for access. SEFSC implements the principle of least privilege�and
separation of duties to ensure that only personnel with the need to know to have access to�this
information.
Logbook data, when entered, is stored on our Oracle Database server. This system uses native�
database authentication for user access. The only way to read data on the Oracle Database is to�
have access by authenticating it with a username and password.
A computerized database is password-protected, and access is limited. Paper records are�
maintained in secured file cabinets in areas that are accessible only to authorized personnel of�
NOAA4400.
ACCSP pulls data using an encrypted SQLNET connection over a dynamic virtual private�
network (VPN) to NOA$4000. Data is passed through FIPS 140-2 approved encryption�
mechanisms (SQLNET AES256 encrypted sessions) if networks are interconnected. When the�
information is transmitted to and from the ACCSP, ACCSP pulls data using an encrypted�
SQLNET connection over a dynamic VPN to NOAA Head Quarters (4000). The connections�at
each end must be located within controlled access facilities and protected 24 hours a day.�
Individual users will not have access to the data except through their system's security software�
inherent to the operating system.
�J� Any information sharing.
The SEFSC is headquartered in Miami, FL, and interconnects with ACCSP; NOAA4000;�
NOAA4200, and NOAA4300. The NMFS interconnections all connect via the NMFS WAN�
and are primarily used for database connections to provide data to NMFS science centers and�
regional offices, and as per the connection with ACCSP, all data is encrypted using the oracle�
native encryption (sqlnet.ora), and TLS. The SEFSC have an encrypted connection in addition�
of the VPN, and in case the VPN does not work, the system still protected by using our�existing
encrypted connection.
5
�Version Number: 01-2021
The SEFSC is responsible for scientific research on living marine resources that occupy marine
and estuarine habits of the continental southeastern United States, Puerto Rico, and the U.S.
Virgin Islands. The SEFSC is one of the six national marine fishery science centers’
responsible for federal marine fishery research programs. NOAA4400 intends to share the
collected PII/BII with (a) within the bureau, (b) with DOC bureaus, and (c) with other federal
agencies as needed.
As per the connection with ACCSP, data are passed through FIPS 140-2 approved encryption
mechanisms (SQLNET AES256 encrypted sessions) if networks are interconnected. When the
information is transmitted to and from the ACCSP, ACCSP pulls data using an encrypted
64/1(7 connection over a dynamic VPN to NOAA����� The connections at each end must
be located within controlled access facilities and protected 24 hours a day. Individual users
will not have access to the data except through their system's security software inherent to the
operating system.
(h) The specific programmatic authorities (statutes or Executive Orders) for collecting,
maintaining, using, and disseminating the information.
Type of Information Applicable SORNs
Collected
(Section 9.2)
(Introduction h.)
1. Fishermen's
Statistical Data
NOAA-6
Programmatic Authorities
(Introduction h.)
Fish and Wildlife Act as amended (16 U.S.C. 742 et seq.)
Fishery Conservation and Management Act of 1976 as amended (16
U.S.C. 1852)
2. Fisheries Permits NOAA-19
& Registrations
Magnuson-Stevens Fishery Conservation and Management Act, 16
U.S.C. 1801 et seq.
High Seas Fishing Compliance Act of 1995, 16 U.S.C 5501 et seq.
International Fisheries Regulations: Vessels of the United States
Fishing in Colombian Treaty Waters, 50 CFR 300.120
American Fisheries Act, Title II, Public Law No. 105–277
Atlantic Coastal Fisheries Cooperative Management Act of 1993, 16
U.S.C. 5101-5108, as amended 1996
Tuna Conventions Act of 1950, 16 U.S.C. 951-961
Atlantic Tunas Convention Authorization Act, 16 U.S.C., Chapter 16A
Northern Pacific Halibut Act of 1982, 16 U.S.C. 773 et seq.
Antarctic Marine Living Resources Convention Act of 1984, 16 U.S.C.
2431-2444
Western and Central Pacific Fisheries Convention Implementation Act,
16 U.S.C. 6901 et seq.
Dolphin Protection Consumer Information Act, 16 U.S.C. 1385
Marine Mammal Protection Act, 16 U.S.C. 1361 et seq
Commerce, Justice, Science and Related Agencies Act, 2018, Division
6
�Version Number: 01-2021
B, Section 539 (Pub. L. 115-141)
Taxpayer Identifying Number, 31 U.S.C. 7701
(i) The Federal Information Processing Standards (FIPS) 199 security impact category for the
system
According to FIPS 199, NOAA4400 is classified as a Moderate Impact System, providing
infrastructure and application support for internal systems and data to external NMFS
systems.
Section 1: Status of the Information System
1.1
Indicate whether the information system is a new or existing system.
X
This is a new information system.
This is an existing information system with changes that create new privacy risks.
(Check all that apply.)
Changes That Create New Privacy Risks (CTCNPR)
a. Conversions
d. Significant Merging
b. Anonymous to Non- Anonymous
e. New Public Access
f. Commercial Sources
c. Significant System
Management Changes
j. Other changes that create new privacy risks (specify):
g. New Interagency Uses
h. Internal Flow or
Collection
i. Alteration in Character
of Data
X
NOAA4400 has a relatively new interconnection with ACCSP. Through this association
commercial dealer, as well as permit-based commercial and for-hire fishermen data is collected
by ACCSP and exchanged with NOAA4400. Individual fishermen trip data, dealer report data,
and permit data are shared between SEFSC and ACCSP. The permit data does not include PII.
Also, NOAA4400 is now collecting fisherman trip and landing statistics to meet a federal
mandate under the Magnuson-Stevens Act to collect and report recreational and commercial
fisheries data. There are no other ways to operate without this collection. The collected data is
accessed by ACCSP Staff, SEFSC Staff, and ACCSP partners with individual user confidential
access approved by SEFSC staff. Confidential named user access is for a set period and is
automatically revoked at the expiration date.
The integration of drones (UAS) into SEFSC Protected Resources and Biodiversity Division
operations allow for additional information to be gathered during operations, including aerial
photo-identification and dorsal photography that allow for assessments of individual organism
growth, health, body condition, and reproductive status and provide more accurate estimates of
group sizes and group membership.
This is an existing information system in which changes do not create new privacy
7
�Version Number: 01-2021
risks, and there is not a SAOP approved Privacy Impact Assessment.
This is an existing information system in which changes do not create new privacy
risks, and there is a SAOP approved Privacy Impact Assessment.
Section 2: Information in the System
2.1
Indicate what personally identifiable information (PII)/business identifiable information
(BII) is collected, maintained, or disseminated. (Check all that apply.)
Identifying Numbers (IN)
a. Social Security*
f. Driver’s License
b. Taxpayer ID
g. Passport
c. Employer ID
h. Alien Registration
d. Employee ID
i. Credit Card
e. File/Case ID
n. Other identifying numbers (specify):
j. Financial Account
k. Financial Transaction
l. Vehicle Identifier
m. Medical Record
*Explanation for the business need to collect, maintain, or disseminate the Social Security number, including
truncated form:
NOAA4400 collects vessel ID/Documentation # to trace information back to the required permit.
8
�Version Number: 01-2021
General Personal Data (GPD)
X
a. Name
h. Date of Birth
b. Maiden Name
i. Place of Birth
c. Alias
j. Home Address
d. Gender
k. Telephone Number
e. Age
l. Email Address
f. Race/Ethnicity
m. Education
g. Citizenship
n. Religion
u. Other general personal data (specify):
Work-Related Data (WRD)
a. Occupation
X
e. Work Email Address
b.
Job Title
X
f.
c.
Work Address
X
g. Work History
d.
Work Telephone
Number
X
h. Employment
Performance Ratings or
other Performance
Information
l.
Other work-related data (specify):
X
X
Salary
o. Financial Information
p. Medical Information
q. Military Service
r. Criminal Record
s. Marital Status
t. Mother’s Maiden Name
i.
Business Associates
X
Proprietary or Business
Information
k. Procurement/contracting
records
X
j.
Distinguishing Features/Biometrics (DFB)
a. Fingerprints
f. Scars, Marks, Tattoos
b. Palm Prints
g. Hair Color
c. Voice/Audio Recording
h. Eye Color
X
d. Video Recording
i. Height
e. Photographs
j. Weight
p. Other distinguishing features/biometrics (specify):
k. Signatures
l. Vascular Scans
m. DNA Sample or Profile
n. Retina/Iris Scans
o. Dental Profile
It is anticipated that the UAS collected imagery will be at a resolution to meet organizational
needs, but it would not have the ability (resolution or clarity) to identify any individuals
uniquely.
System Administration/Audit Data (SAAD)
X
a. User ID
c. Date/Time of Access
X
b. IP Address
f. Queries Run
g. Other system administration/audit data (specify):
9
X
X
e. ID Files Accessed
f. Contents of Files
X
X
�Version Number: 01-2021
Other Information (specify)
NOAA4400 has a Fisheries Logbook System (FLS) which collects vessel and captains’
names, numbers of each species caught, the numbers of animals retained or discarded alive
or discarded dead, the location of the set, the types and size of gear, the duration of the set,
port of departure and return, unloading dealer and location, number of sets, number of
crew, date of departure and landing, and an estimate of the fishing time.
Fisherman trip and landing statistics are now being collected as well.
2.2
Indicate sources of the PII/BII in the system. (Check all that apply.)
Directly from Individual about Whom the Information Pertains
In Person
Hard Copy: Mail/Fax
Telephone
Email
Other (specify):
Government Sources
Within the Bureau
State, Local, Tribal
Other (specify):
X
Non-government Sources
Public Organizations
Third Party Website or Application
X
Online
Other DOC Bureaus
Foreign
X
Other Federal Agencies
Private Sector
X
Commercial Data Brokers
Other (specify):
2.3
Describe how the accuracy of the information in the system is ensured.
Multiple conditions have been implemented, system-wide, to restrict a user from selecting incorrect
options, including database fields and values, and in addition, after the data is collected and validated,
numerous QAQC reports are run to confirm the data accuracy.
The system's access is granted based on specific roles, and very few users can access the whole system.
Logs for every operation (no exceptions) are generated, collected, and kept indefinitely, which allows
the reconstruction and analysis of any event that might happen at a particular point. Operation logs are
generated with time and location.
10
�Version Number: 01-2021
2.4
Is the information covered by the Paperwork Reduction Act?
Yes, the information is covered by the Paperwork Reduction Act.
Provide the OMB control number and the agency number for the collection.
X
The OMB control numbers are 0648-0670, 0648-0013, 0648-0543, 0648-0371, 06480247, 0648-0151, 0648-0591, 0648-0016, 0648-0542, 0648-0631, 0648-0770.
No, the information is not covered by the Paperwork Reduction Act.
2.5
Indicate the technologies used that contain PII/BII in ways that have not been previously
deployed. (Check all that apply.)
Technologies Used Containing PII/BII Not Previously Deployed (TUCPBNPD)
Smart Cards
Biometrics
Caller-ID
Personal Identity Verification (PIV) Cards
Other (specify): UAS is now being used.
There are not any technologies used that contain PII/BII in ways that have not been previously deployed.
Section 3: System Supported Activities
3.1
Indicate IT system supported activities, which raise privacy risks/concerns. (Check all that
apply.)
Activities
Audio recordings
Building entry readers
X
Video surveillance
Electronic purchase transactions
Other (specify):
NOAA4400 makes use of UAS and has the potential for inadvertent collection of PII. However, no information
retrieval using any unique identifier within Survey datasets will be conducted, and any PII inadvertently collected
will be deleted within 30 days. NOAA4400 does not use any application capable of facial recognition within any
captured images. It is anticipated that the UAS collected imagery will be at a resolution to meet organizational
needs, but it would not have the ability (resolution or clarity) to identify any individuals uniquely.
There are not any IT system supported activities which raise privacy risks/concerns.
Section 4: Purpose of the System
4.1
Indicate why the PII/BII in the IT system is being collected, maintained, or disseminated.
(Check all that apply.)
11
�Version Number: 01-2021
Purpose
For a Computer Matching Program
For administrative matters
For litigation
For civil enforcement activities
To improve Federal services online
For web measurement and customization
technologies (single-session)
Other (specify):
X
X
For administering human resources programs
To promote information sharing initiatives
For criminal law enforcement activities
For intelligence activities
For employee or customer satisfaction
For web measurement and customization
technologies (multi-session)
X
Section 5: Use of the Information
5.1
In the context of functional areas (business processes, missions, operations, etc.) supported
by the IT system, describe how the PII/BII that is collected, maintained, or disseminated
will be used. Indicate if the PII/BII identified in Section 2.1 of this document is in
reference to a federal employee/contractor, member of the public, foreign national, visitor
or other (specify).
NOAA4400 collects PII (captain’s name) and BII from logbooks for the purposes of regulating the
applicable fisheries. This information is maintained locally within the NOAA4400 system and is used
only for research and regulatory purposes. This information is collected from members of the public and
shared only within the bureau, other DOC bureaus, and other federal agencies on a case by case basis.
The OMB forms used for data collection are:
· ATLANTIC HIGHLY MIGRATORY SPECIES LOGBOOK TRIP SUMMARY FORM: 0648-0371
· ATLANTIC HIGHLY MIGRATORY SPECIES LOGBOOK - SET FORM: 0648- 0371
- NO FISHING REPORTING FORM: 0648-0016
· SE COASTAL FISHERIES TRIP REPORT FORM: 0648-0016
· SUPPLEMENTAL DISCARD AND GEAR INTERACTION TRIP REPORT FORM: 0648-0016
NOAA4400 makes use of UAS and has the potential for inadvertent collection of PII. However, no
information retrieval using any unique identifier within Survey datasets will be conducted, and any PII
inadvertently collected will be deleted within 30 days. NOAA4400 does not use any application capable
of facial recognition within any captured images. It is anticipated that the UAS collected imagery will be
at a resolution to meet organizational needs, but it would not have the ability (resolution or clarity) to
identify any individuals uniquely.
·
12
�Version Number: 01-2021
5.2
Describe any potential threats to privacy, such as insider threat, as a result of the
bureau’s/operating unit’s use of the information, and controls that the
bureau/operating unit has put into place to ensure that the information is handled,
retained, and disposed appropriately. (For example: mandatory training for
system users regarding appropriate handling of information, automatic purging of
information in accordance with the retention schedule, etc.)
All personnel that work with The Logbook Data are trained annually to help reduce the risk and minimize
the impact of an authorized user intentionally or unintentionally disclosing data and causing adverse effect
to sensitive data and mission. The Logbook data is collected on paper and submitted by the fishermen via
U.S. mail. Some logbooks are submitted via fax. When received, logbooks are scanned and loaded into a
database, validated, and corrected by data entry personnel at SEFSC. The application is for internal use
only, intranet access, and has username/password authentication.
In terms of data access, only the following personnel have access: (a) 4 System Administrators/Developers;
(b) 24 NOAA Data users; (c) 76 users have access to the Logbook images: NOAA Officials, including
Southeast Regional Office, OLE, NE HMS, SA & GOM Council. To access the data, all personnel have a
signed NDA. Logbook data is permanently retained.
All data is encrypted at rest and during transit and is handled by the Database Administrator in an Oracle
System. Considering the measures in place, unauthorized access is not likely. More information about
access to the data is given in Section 8.2 as well.
Any PII collected by UAS is incidental, unintentional, and not retained. It is anticipated that the
UAS collected imagery will be at a resolution to meet organizational needs, but it would not have
the ability (resolution or clarity) to identify any individuals uniquely.
Section 6: Information Sharing and Access
6.1
Indicate with whom the bureau intends to share the PII/BII in the IT system and how the
PII/BII will be shared. (Check all that apply.)
Recipient
Case-by-Case
Within the bureau
DOC bureaus
Federal agencies
State, local, tribal gov’t agencies *
Public
Private sector
Foreign governments
Foreign entities
How Information will be Shared
Bulk Transfer
Direct Access
X
X
X
X
X
Other (specify):
* The Atlantic States Marine Fisheries Commission is where ACCSP / ACFIN is located. As an interstate
Commission created by Congress – they are between a federal government and state/local government
designation.
The PII/BII in the system will not be shared.
13
�Version Number: 01-2021
6.2
Does the DOC bureau/operating unit place a limitation on re-dissemination of PII/BII
shared with external agencies/entities?
Yes, the external agency/entity is required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
X
No, the external agency/entity is not required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the bureau/operating unit does not share PII/BII with external agencies/entities.
6.3
Indicate whether the IT system connects with or receives information from any other
IT systems authorized to process PII and/or BII.
Yes, this IT system connects with or receives information from another IT system(s) authorized to
process PII and/or BII.
Provide the name of the IT system and describe the technical controls which prevent PII/BII leakage:
X
This IT system connects to ACCSP; NOAA4000, NOAA4200, and NOAA4300 but does not receive
information from another IT system(s) authorized to process PII and/or BII.
No, this IT system does not connect with or receive information from another IT system(s) authorized to
process PII and/or BII.
6.4
Identify the class of users who will have access to the IT system and the PII/BII. (Check
all that apply.)
Class of Users
General Public
Government Employees
X
Contractors
Other (specify): Contract system developers working for ACCSP have access to the PII/BII collected.
Section 7: Notice and Consent
7.1
Indicate whether individuals will be notified if their PII/BII is collected, maintained, or
disseminated by the system. (Check all that apply.)
X
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and
discussed in Section 9.
Yes, notice is provided by a Privacy Act statement and/or privacy policy. The Privacy Act statement
and/or privacy policy can be found at:
X
https://www.fisheries.noaa.gov/national/fisheries-observers/privacy-act-statement
14
X
�Version Number: 01-2021
Link to the Logbook can be found at:
.
https://grunt.sefsc.noaa.gov/apex/f?p=128
Note: The PAS can be viewed at the end of this document.
Yes, notice is provided by other means. Specify how:
X
Notice is given on letters to permit holders explaining permitrelated responsibilities.
No, notice is not provided.
7.2
Specify why not:
Indicate whether and how individuals have an opportunity to decline to provide PII/BII.
Yes, individuals have an opportunity to
decline to provide PII/BII.
X
Specify how:
Fishers may decline to provide PII/BII by not completing their
logbooks, but this information is required under the MSA and
also is needed to maintain their permits.
Link to the Logbook can be found at:
.
https://grunt.sefsc.noaa.gov/apex/f?p=128
No, individuals do not have an
opportunity to decline to provide
PII/BII.
7.3
Indicate whether and how individuals have an opportunity to consent to particular uses of
their PII/BII.
X
7.4
Note: The PAS can be viewed at the end of this document.
Specify why not:
Yes, individuals have an opportunity to
consent to particular uses of their
PII/BII.
Specify how:
No, individuals do not have an
opportunity to consent to particular uses
of their PII/BII.
Specify why not:
The only uses of the logbook information are research and
regulatory purposes. Consent to these uses is implied by
completion of the logbook.
Indicate whether and how individuals have an opportunity to review/update PII/BII
pertaining to them.
15
�Version Number: 01-2021
X
Yes, individuals have an opportunity to Specify how:
review/update PII/BII pertaining to
Pursuant to 15 CRF 4.27, Fishers may contact NOAA4400 offices
them.
(the contact information is on the logbook forms) and ask to
review their logbook data.
No, individuals do not have an
opportunity to review/update PII/BII
pertaining to them.
Specify why not:
Section 8: Administrative and Technological Controls
8.1
Indicate the administrative and technological controls for the system. (Check all that
apply.)
X
X
X
X
X
X
X
X
X
X
X
X
All users signed a confidentiality agreement or non-disclosure agreement.
All users are subject to a Code of Conduct that includes the requirement for confidentiality.
Staff (employees and contractors) received training on privacy and confidentiality policies and practices.
Access to the PII/BII is restricted to authorized personnel only.
Access to the PII/BII is being monitored, tracked, or recorded.
Explanation: The minimum PII and BII the system collects have the same protection that the Database
server, and all information related to both components is encrypted.
The information is secured in accordance with the Federal Information Security Modernization Act
(FISMA) requirements.
Provide date of most recent Assessment and Authorization (A&A): 05/01/2023
伫 This is a new system. The A&A date will be provided when the A&A package is approved.
The Federal Information Processing Standard (FIPS) 199 security impact category for this system is a
moderate or higher.
NIST Special Publication (SP) 800-122 and NIST SP 800-53 Revision 5 Appendix J recommended
security controls for protecting PII/BII are in place and functioning as intended; or have an approved Plan
of Action and Milestones (POA&M).
A security assessment report has been reviewed for the information system and it has been determined
that there are no additional privacy risks.
Contractors that have access to the system are subject to information security provisions in their contracts
required by DOC policy.
Contracts with customers establish DOC ownership rights over data including PII/BII.
Acceptance of liability for exposure of PII/BII is clearly defined in agreements with customers.
Other (specify): ISSO will work with the COR to ensure appropriate FAR clauses (Subparts 24.1 and 24.2 or
contracts clauses 52.224-1 or 52.224-2) are added to contracts.
16
�Version Number: 01-2021
8.2
Provide a general description of the technologies used to protect PII/BII on the IT system.
(Include data encryption in transit and/or at rest, if applicable).
The potential risk of inappropriate disclosure and/or unauthorized disclosure is mitigated by limiting the
number of authorized system users, providing initial and annual system security training, monitoring
authorized user activity, automatic and immediate notification of unauthorized system access or usage to the
system administrator, documenting user violations, and gradually increasing user reprimands for system
violations ranging from a verbal warning with refresher security training to denial of system access.
Logbook data, when entered, is stored on our Oracle Database server. This system uses native database
authentication and encryption for user access. The only way to read data on the Oracle Database is to have
access by authenticating it with a username and password.
The information is secured via both administrative and technological controls. BII is stored on shared
drives that require CAC for access. SEFSC implements the principle of least privilege and separation of
duties to ensure that only personnel with the need to know to have access to this information.
All NOAA4400 personnel and contractors are instructed on the confidential nature of this information.
By acknowledging the NOAA rules of behavior, account request agreements, etc., all users are
recommended to abide by all statutory and regulatory data confidentiality requirements and only
release the data to authorized users.
Buildings employ security systems with locks and access limits. Only those that have the need to know
to carry out the official duties of their job, have access to the data. A computerized database is
password- protected, and access is limited. Paper records are maintained in secured file cabinets in
areas accessible only to authorized personnel of NOAA4400.
17
�Version Number: 01-2021
Section 9: Privacy Act
9.1
Is the PII/BII searchable by a personal identifier (e.g. name or Social Security number)?
X
Yes, the PII/BII is searchable by a personal identifier.
No, the PII/BII is not searchable by a personal identifier.
9.2
Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. §
552a. (A new system of records notice (SORN) is required if the system is not covered by
an existing SORN).
As per the Privacy Act of 1974, “the term ‘system of records’ means a group of any records under the control of any agency from which
information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned
to the individual.”
Yes, this system is covered by an existing system of records notice (SORN).
Provide the SORN name, number, and link. (list all that apply):
NOAA-6 SYSTEM NAME: “Fishermen's Statistical Data.”
https://www.osec.doc.gov/opog/PrivacyAct/SORNs/noaa-6.html
X
NOAA-19 SYSTEM NAME: “Permits and Registrations for United States Federally Regulated Fisheries.”
https://www.osec.doc.gov/opog/PrivacyAct/SORNs/noaa-19.html
Yes, a SORN has been submitted to the Department for approval on (date).
No, this system is not a system of records and a SORN is not applicable.
Section 10: Retention of Information
10.1 Indicate whether these records are covered by an approved records control schedule and
monitored for compliance. (Check all that apply.)
X
X
There is an approved record control schedule.
Provide the name of the record control schedule:
NOAA1504.24, SEFSC Logbook – This covers the paper versions of the logbook forms.
No, there is not an approved record control schedule.
Provide the stage in which the project is in developing and submitting a records control schedule:
A records schedule for the electronic version of the logbook information has been submitted to NARA
for approval. Until scheduled, these electronic records are categorized as Permanent.
X
Yes, retention is monitored for compliance to the schedule.
Scheduled records are monitored for compliance with the records schedule.
No, retention is not monitored for compliance to the schedule. Provide explanation
18
�Version Number: 01-2021
10.2 Indicate the disposal method of the PII/BII. (Check all that apply.)
Disposal
Shredding
Degaussing
Other (specify):
X
Overwriting
Deleting
X
Section 11: NIST Special Publication 800-122 PII Confidentiality Impact Level
11.1 Indicate the potential impact that could result to the subject individuals and/or the
organization if PII were inappropriately accessed, used, or disclosed. (The PII
Confidentiality Impact Level is not the same, and does not have to be the same, as the
Federal Information Processing Standards (FIPS) 199 security impact category.)
X
Low – the loss of confidentiality, integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.
Moderate – the loss of confidentiality, integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or individuals.
High – the loss of confidentiality, integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational assets, or individuals.
11.2 Indicate which factors were used to determine the above PII confidentiality impact level.
(Check all that apply.)
Identifiability
Provide explanation:
X
Quantity of PII
X
Data Field Sensitivity
Provide explanation: The quantity is minimal. NOAA4400 does
not collect SSNs or EINs; however, the organization gathers some
minimum PII as captain’s names, addresses, and phone numbers.
Provide explanation: Sensitive PII such as SSN and sensitive BII
for fishermen is not collected by NOAA4400, neither sensitive data
for business.
19
�Version Number: 01-2021
X
Context of Use
X
Obligation to Protect Confidentiality
X
Access to and Location of PII
Other:
Provide explanation: Permits information and fishers business data
is stored securely as described in Sections 8.1 and 8.2.
Administrative and Technological Controls are in place to protect
the minimum PII/BII the system collects.
Provide explanation: The Magnuson-Stevens Act authorizes
confidentiality of fisheries data.
Provide explanation: System is not publicly accessible. Access to
PII/BII is controlled through access control lists, separation of
duties, and enforcement of least privilege access. We also limit the
number of authorized system users, providing initial and annual
system security training, monitoring authorized user activity;
through an automatic and immediate notification of unauthorized
system access or usage to the system administrator, documenting
user violations, and gradually increasing user reprimands for
system violations ranging from a verbal warning with refresher
security training to denial of system access.
Provide explanation:
Section 12: Analysis
12.1 Identify and evaluate any potential threats to privacy that exist in light of the information
collected or the sources from which the information is collected. Also, describe the
choices that the bureau/operating unit made with regard to the type or quantity of
information collected and the sources providing the information in order to prevent or
mitigate threats to privacy. (For example: If a decision was made to collect less data,
include a discussion of this decision; if it is necessary to obtain information from sources other
than the individual, explain why.)
No, the conduct of this PIA does not result in any required business process changes. Other than the
accidental release of confidential information, no other threats have been identified. NOAA4400
exclusively gathers what the councils decide we need to collect to support management, and this is
minimum PII/BII such as business name and address for mailing. This information is stored in an
Oracle Database and requires a username/password for access. Backups are encrypted. All online
entries (i.e., web applications) are reviewed to mitigate any security threats and have passed security
scanning (i.e., Apex SERT).
12.2 Indicate whether the conduct of this PIA results in any required business process changes.
Yes, the conduct of this PIA results in required business process changes.
Explanation:
X
No, the conduct of this PIA does not result in any required business process changes.
20
�Version Number: 01-2021
12.3 Indicate whether the conduct of this PIA results in any required technology changes.
Yes, the conduct of this PIA results in required technology changes.
Explanation:
X
No, the conduct of this PIA does not result in any required technology changes.
Privacy Act Statement
Authority: The collection of this information is authorized under 50 C.F.R. 622.5 for the purpose of
managing the fisheries of the Caribbean, Gulf of Mexico, and South Atlantic in accordance with the
Atlantic Tunas Convention Act (16 U.S.C. 971 et. seq.) and the Magnuson-Stevens Fishery
Conservation and Management Act (16. U.S.C. 1801 et. seq.).
Purpose: The Department of Commerce (Department) is collecting this information to ensure
productive and sustainable fisheries, safe sources of seafood, recovery and conservation of protected
resources, and healthy ecosystems. The Fisheries Logbook System records the fishing and non-fishing
activity of fishermen who are required to report their fishing activity via logbooks submitted for each
trip.
Routine Uses: The Department will use this information to routinely monitor fisheries to ensure they
are sustainably managed. Disclosure of this information is also subject to all of the published routine
uses as identified in the Privacy Act System of Records Notice COMMERCE/NOAA-6, Fishermen's
Statistical Data and COMMERCE/NOAA-19, Permits and Registrations for United States Federally
Regulated Fisheries.
Disclosure: Furnishing this information is mandatory. The failure to report as required by a permit may
result in delays in permit renewals.
21
�
| File Type | application/pdf |
| File Title | NOAA4400 PIA 2022-0119 CRB Updates.pdf |
| Author | Luis O. Noguerol |
| File Modified | 2024-03-14 |
| File Created | 2024-03-14 |