The following laws and regulations establish specific requirements for the confidentiality, integrity, and availability of the data processed, stored, and transmitted by the Financial Cloud Solution (FCS):
Computer Fraud and Abuse Act of 1984
Federal Information Security Management Act of 2002
Section 208 of the E-Government Act of 2002
OMB February 1996 Circular A-130, Appendix III
Paperwork Reduction Act of 1980
Privacy Act of 1974
Title I and Title V of the Americans with Disabilities Act of 1990, as amended
EEOC Order 240.005, EEOC Information Security Program
EEOC Order 240.005, Appendix A, Information Security Responsibilities of EEOC Employees
EEOC Order 150.003, Privacy Act of 1974, as amended
Public laws and regulations applicable to all federal agencies
The individual's right to privacy must be protected in Federal Government information activities involving personal information. This assessment addresses the privacy impact of the EEOC Financial Cloud Solution (FCS).
1. Generally describe the system and the Personally Identifiable Information (PII) to be maintained in the system in each of the following categories: Complainant, Company, EEOC Employee, Other.
The Financial Cloud Solution (FCS) is a complete end-to-end integrated infrastructure managed by Global Computing Enterprises (GCE) to provide financial management shared services to federal agencies, including EEOC. It provides support for core federal financial management including: general ledger, accounts payable, accounts receivable, acquisitions, project accounting, asset management, and reporting.
The FCS system contains Personally Identifiable Information (PII) on EEOC employees, contractors, and vendors. The system also collects PII on invitational travelers who have been asked to speak for or attend a function at the request of EEOC.
The PII data collected is first and last name, SSN, residential address, personal phone numbers, mailing address, business phone numbers, business mailing address, business email address, Employer Identification Number (EIN)/Taxpayer Identification Number (TIN), and financial account information and/or numbers such as checking account numbers and retirement account numbers.
No PII data related to EEOC charges/complaints/cases is maintained in this system.
2. What are the sources of the information in the system?
PII is provided by contractors, and employees for the purpose of making payments to them. PII will also be fed into FCS from other sources. Other sources include:
3. How is the data collected?
The information is collected from vendors and employees via invoices and interfaces with the E-2 Travel and Prism. NBC payroll data is collected as a batch file.
3.1. What Federal Agencies are providing data for use in the system?
Employee data is transmitted electronically through an interface with EEOC FPPS that is hosted and maintained by DOI/NBC.
3.2. What State and Local Agencies are providing data for use in the system?
No State or Local Agencies are providing data for use in the system
3.3. What other third party sources will data be collected from?
Data is also collected from the e2 Government Travel system, which is operated by CWTSatoTravel (obtained through GSA E-Gov Travel Services).
4. How is the information checked for accuracy?
FCS relies on authoritative sources of data for all information including PII. No reconciliation of PII exists unless problems arise from payments. No information is available to the vendors or federal employees to verify the provided information is accurate. The information provided from the contractor, vendor, or federal employee is not cross-checked with any external databases
5. What legal authorities, arrangements, and/or agreements defined the collection of information?
PII is required to make some payments. This information is legally required to meet the requirements of the Prompt Payment Act.
6. How is the overall risk related to maintaining the privacy of the data reduced?
The privacy risks are minimal because the information is transmitted only to other government agencies as required for payments. All communication to and from FCS, including the user interface, is always protected by 1024-bit TLS v1 encryption. Information received via invoices will be entered by a government employee or a contractor working for the government in a secure subsystem of FCS.
7. Describe all uses of the PII
PII data is used to pay invoices and EEOC employees. The vendor or employee is required to perform services or goods to receive payment. PII data may also be used in relation to accounts receivable, to collect monies due to the government.
8. What types of tools are used to analyze data and what type of data may be produced?
The Reports module of the FCS is used to perform online analytical processing using the standard and Adhoc reports. Oracle Federal Financials is used to generate financial statements and support federal standard reporting requirements. PII is not required for analytical processing in support of financial statements generation.
9. Will the system derive new data or create previously unavailable data about an individual through aggregation of collected information?
No. The FCS system does not derive any data about an individual through aggregation or collection of information.
10. If the system uses commercial or publicly available data, how is this data used?
The system does not use commercial or publicly available data.
11. How is the overall risk related to the use of PII reduced?
FCS and its interfaces can only use the data to make payments to vendors and EEOC employees, or to process accounts receivable. FCS and its interfaces are not externally accessible. All FCS users receive training on the appropriate uses and handling of PII within FCS.
12. How long is the information retained in the system?
All FCS data will be retained 7 years after the expiration of the appropriation, program, or project. This is in accordance with the EEOC Records Management policy and the federal retention requirements of the Federal Records Act of 1950, 5 USC 301. FCS will retain data indefinitely under special circumstances such as an Inspector General ruling.
13. Has the retention schedule been approved by the EEOC agency records officer and the National Archives and Records Administration (NARA)?
Yes. The FCS system is covered by NARA General Records Schedule 7.
14. How is the overall risk related to the retention of data reduced?
The data will be stored on the same FCS SAN hosting the FCS data. This data is password protected and copied to the DR site at Qwest Datacenter at Denver to meet the retention requirements. The retention time requirement of off-site tapes is 7 years. The data for the current fiscal year will be stored in the Qwest Datacenter hosting FCS. Physical access to the Qwest datacenters at Sterling, VA and Denver, CO are monitored and tightly controlled and meet federal standards for physical access control.
15. With which internal organization(s) is the PII shared, what information is shared and for what purpose?
Detailed financial transaction information is shared with EEOC Administrative Officers, District Resource Managers/Assistants and other authorized FCS users and management officials at EEOC's headquarters and field offices for the purposes of financial reporting. Payroll data is also shared with the federal employee to report W-2 wages and workers compensation to the IRS.
16. How is the PII transmitted or disclosed?
All communications to and from FCS are protected by 1024-bit TLS v1 encryption. Using encryption provides confidentiality and integrity of the data during transmission. Detailed financial transaction information is electronically shared with the EEOC and its field offices for the purposes of financial reporting via SSL/TLS secured protocols.
17. How is the overall risk related to the internal sharing and disclosure reduced?
All communications to and from FCS are protected by 1024-bit or higher SSL/TLS encryption. Using encryption provides confidentiality of the data and integrity of the data during transmission.
18. With which external organization(s) is the PII shared, what information is shared and for what purpose?
EEOC shares information with multiple external organizations. The information that had been shared from the Equal Employment Opportunity Commission through the DOI/NBC Momentum system will be shared out of FCS instead. The following section describes the uses of that data and who it may be transmitted to outside the Equal Employment Opportunity Commission:
19. How is the information shared outside of the Agency and what security measures safeguard its transmission?
EEOC shares information directly with the Department of the Treasury via the Secured Payment System (SPS) to make payments to vendors. SPS is a vendor provided product that uses a proprietary protocol and encryption method. The encryption method is FIPS 140-2 compliant. Also, we share information directly with Treasury via the Federal Debt system to collect debt. For other information shared with external Equal Employment Opportunity Commission agencies, that information is provided in hard copy and does not include PII.
20. How is the overall risk related to the external sharing and disclosure reduced?
Per #19 above, electronic data transmissions between EEOC and Treasury are encrypted at the FIPS 140-2 level. All other information shared is provided in hardcopy and does not include PII.
21. Was notice provided to the individual prior to collection of the PII?
Yes, a written or oral notice is provided before PII information is collected for making a voucher payment.
22. Do individuals have the opportunity and/or right to decline to provide information?
No, an individual cannot withhold his/her consent to provide PII information where required for receiving payments from the Equal Employment Opportunity Commission.
23. Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right.
Individuals do not have a right to consent to particular uses of the PII provided.
24. How is the overall risk related to the Notice to Individuals reduced?
Either written or oral notice is provided to the traveler prior to the collection of PII information. PII data is never collected without the awareness of the individual; therefore there is no risk in the data being collected without their knowledge and consent.
25. What are the procedures that allow individuals to gain access to their information?
Information can be accessed by contacting the EEOC Office of the Chief Financial Officer (OCFO). EEOC employees may also contact their Office Director or District Resource Manager/Administrative Officer to access their individual data maintained in FCS.
26. What are the procedures for correcting inaccurate or erroneous information?
Information can be corrected that is inaccurate or erroneous by contacting the EEOC OCFO.
27. If no formal redress is provided, what alternatives are available to the individual?
The individual can contact the OCFO Senior Management to escalate and expedite the correction of erroneous PII information.
28. How is the overall risk related to the Access, Redress and Correction reduced?
The risk identified is the lack of written procedures provided to the individual at the time that PII is provided. Information is provided by the individual only in writing and by submission of the individual.
29. What procedures are in place to determine which users may access the system and are they documented?
Each user of FCS undergoes a standard EEOC employee background check. To gain access to the FCS application, the new user's supervisor must complete and sign an access form that specifies the new user's role. The form is then reviewed by the lead accountant and/or application security officer prior to the new user's account being created. These procedures are documented in the FCS System Security Plan. The procedures are written to be in compliance with NIST Special Publication 800-53 and the EEOC Order 240.005.
30. Will Agency contractors have access to the system?
Yes, contractors have access to FCS. Contractors must have a National Agency Check with Inquires to work at EEOC and contractors must follow the same procedures for gaining access to FCS as employees.
31. Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
All EEOC system users must complete annual EEOC SAT training which includes the safe handling and use of PII. In addition, at the time the user is provided an account, a Rules of Behavior is reviewed and signed by the user.
32. What auditing measures and technical safeguards are in place to prevent misuse of data?
System access is controlled and only permitted to authorized personnel. Auditing and logging is performed for users accessing FCS. Periodic maintenance is performed to test and maintain the quality of these controls. The security controls are in compliance with NIST Special Publication 800-53. As required by NIST 800-37, all the security controls are reviewed every three years, the system will be certified and accredited, and independent audits are performed by the Office of Inspector General (OIG) on a periodic basis as determined by the OIG.
33. How is the overall risk related to Technical Access reduced?
Risk is mitigated by auditing measures and technical safeguards. System access is controlled and only permitted to authorized personnel. Auditing and logging is performed for users accessing FCS. Periodic maintenance is performed to test and maintain the quality of these controls. All these mitigated risks are in compliance with security controls as stipulated in NIST Special publication 800-53 and 800-37.
34. Does the project employ technology which may raise privacy concerns? If so, please discuss their implementation?
No, the system does not use technology that may raise privacy concerns.