OSY ZyIndex Personnel Security System

July 2009

Privacy Impact Assessment Statement

Prepared by: Sheryl Hollins

Project: ZyIndex Personnel Security System

Unique Project Identifier: 006-05-01-60-02-0402-00

IT Security System: OS-18 Office of Security (OSY) IT Infrastructure

Project Description:

The ZyIndex Personnel Security System (ZyIndex) is a database of responses to security questionnaires and related personnel documents and forms that that are submitted and collected as part of the personnel security process. ZyIndex is commercial off-the-shelf (COTS) software that creates and manages searchable archives of scanned paper documents and electronic records.

The Office of Security (OSY) Personnel Security Office scans in copies of the original documents and uses ZyIndex software to store, organize, and retrieve documents. Once the documents are stored in the system, Personnel Security staff are able to type in key words, sentences, Boolean logic, proximities, etc., to search for a particular document and the personal information in it.

The servers for the system are located in the Herbert Clark Hoover Building (HCHB) that houses Department of Commerce Headquarters, and are part of the OSY Information Technology (IT) Infrastructure network designated by the Unique Project Identifier number above.

This PIA has been developed to comply with the requirement in Section 208 of the E-Government Act of 2002 (44 U.S.C. 36) and the Department of Commerce IT Privacy Policy.

Purpose:

The Department of Commerce’s Office of Security (OSY) is responsible for establishing and implementing the Department-wide programs for the protection of all Commerce personnel, facilities, and other physical assets, and for providing security services for the Office of the Secretary. The Office of the Chief Information Officer is responsible for information technology security.

1. What information is to be collected (e.g., nature and source)?

The information collected includes personal information that is collected as part of the employment and personnel security process for new and incumbent employees and contractors who require a new or updated background investigation:

• Individual applicant’s full name, signature, date and place of birth, social security number, other names used, height, weight, hair color, eye color, sex, telephone numbers, citizenship, places the individual lived, where the individual went to school, employment activities, and marital status;

• Spouse’s full name, date and place of birth, social security number, other names used, and citizenship;

• Individual and spouse’s address, date married, place married, and, if applicable, dates of separation and legal separation;

• Former spouse’s full name, date and place of birth, social security number, other names used, spouse citizenship, address, date and place married to former spouse, dates of separation and legal separation from former spouse;

• Full names of relatives and associates, and their dates and countries of birth, citizenship, and addresses; and

• Information about the individual applicant’s military history, foreign activities, foreign countries visited, military record, Selective Service record, medical record, employment record, police record, use of illegal drugs and alcohol, previous investigations, financial delinquencies, civil court litigation, and membership in certain organizations.

2. Why is the information being collected (e.g., to determine eligibility)?

The personal information is collected as part of the personnel security process in order for the Department to conduct background investigations. These investigations are conducted to establish that applicants or incumbents, either employed by the U.S. Government or working for the Government under contract, are suitable for a job, eligible for a public trust or sensitive position, and/or eligible for a security clearance. For applicants, the information is collected only after a conditional offer of employment has been made. The personal information obtained is collected with the knowledge and consent of the individual.

3. What is the intended use of the information (e.g., to verify existing data)?

The personal information was collected as part of the Personnel Security process in order for the Department to conduct background investigations to establish that applicants or incumbents either employed by the U.S. Government or working for the Government under contract are suitable for a job, eligible for a public trust or sensitive position, and/or eligible for a security clearance.

4. With whom will the information be shared (e.g., another agency for a specified programmatic purpose)?

Personal information will be shared only with authorized users who have a legitimate need to know. Specifically, the information may be shared with authorized users of the Department’s Office of Security; the Office of Personnel Management; Federal Bureau of Investigation; and any other individual representing a federal agency with authority to obtain the information in accordance with the Privacy Act system of records notice for these records, DEPT-13, Investigative and Security Records.

5. What opportunities do individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), and how can individuals grant consent?

The personal information is primarily collected by an individual’s completion of Standard Form (SF) 85, Questionnaire for Non-Sensitive Positions; SF 85P, Questionnaire for Public Trust Positions; or SF 86, Questionnaire for National Security Positions. Prior to completion of the questionnaire, the individual is advised that providing the information is voluntary; however, OSY might not be able to complete the required background investigation, or complete it in a timely manner, if an individual does not provide each item of information requested. Failure to complete the investigation could affect the individual’s placement, employment, or security clearance prospects. The individual could choose to decline providing the requested personal information or to consent to the particular use of the personal information at the time the questionnaire is presented for completion.

The database also includes affidavits, medical release forms, and other documents signed by the individual or generated by OSY, other Commerce offices, and the Office of Personnel Management (OPM) as part of the background investigation and clearance process.

6. How will the information be secured (e.g., administrative and technological controls)?

In accordance with the requirements of the Federal Information Security Management Act of 2002 (FISMA), a Security Certification and Accreditation (C&A) was completed and is in force for OS-018 - Office of Security (OSY) IT Infrastructure, which is the system that hosts ZyIndex. The C&A process is an audit of policies, procedures, controls, and contingency planning, required to be completed for all federal government IT systems every three years.

The IT Security Plan for this system is also current and in force. The access and other controls for the host system meet the requirements of the Department of Commerce IT Security Program Policy and Minimum Implementation Standards.

The information will be secured via both administrative and technical controls, including:

a. Authorized users are assigned and required to use a system user identification login and password.

b. The personal information on the scanned documents is write-protected and cannot be altered.

c. Regular monitoring of the system for unauthorized access will be conducted.

d. The OSY IT Infrastructure Network on which ZyIndex resides is compliant with the Department’s Information Technology (IT) Security Program Policy and Minimum Implementation Standards.

e. The use of the Citrix security applications and associated protections provide additional security for the information.

f. Upon granting the security clearance, the paper copies of the source documents that were used for scanning are shredded. The original signed documents are maintained separately and disposed of in accordance with the applicable records control schedules approved by the National Archives and Records Administration (NARA).

The potential risk of inappropriate disclosure and/or unauthorized disclosure is mitigated by limiting the number of authorized system users, providing initial and annual system security training, monitoring authorized user activity, automatic and immediate notification of unauthorized system access or usage to the system administrator, and documenting user violations.

7. Is a system of records being created under the Privacy Act, 5 U.S.C. 552a?

No. The existing Privacy Act system of records notice for DEPT-13, Investigative and Security Records, applies to the personal information in this system.

8. How long will these records be retained?

The retention period for these records is guided by the General Records Schedules (GRS), which are issued by the National Archives and Records Administration (NARA) to provide disposition authorization for records common to several or all agencies of the federal government. GRS 18, item 22a, provides that personnel security clearance files are to be destroyed upon notification of death or not later than 5 years after separation or transfer of employee or no later than 5 years after contract relationship expires, whichever is applicable. In accordance with GRS 20, item 3, electronic versions of records scheduled for disposal may be deleted at the expiration of the retention period authorized by the GRS for the equivalent paper copies or when no longer needed, whichever is later.

9. Do you log all computer-readable data extracts from databases holding sensitive information? Is that information verified (including sensitive data) and erased within 90 days or determined that it is still required?

Computer-readable extracts are limited to single records through printing of the record and are not being logged. Information is verified by the individual entering the data. Extracts are retained as long as required for investigation purposes and then destroyed once the information is no longer needed. The Rules of Behavior have also been updated to reflect this requirement. Users will need to contact their Security Officer if they extract sensitive data and do not destroy the information within 90 days.