Fill and Sign the Insurance Request Form

USDA Privacy Impact Assessment (PIA) Price Support Systems (PSS) Electronic Loan Deficiency Payments Revision: 1.03 Farm Service Agency Date: July 23, 2009 Page ii Date: July 23, 2009 Document Information Owner Details Name Fred Gustafson Contact Number (816) 926-2137 Fred.Gustafson@kcc.usda.qov E-mail Address Document Revision and History Revision Date Author Commen~ Draft .0 l 07/21/09 T. Ostrander 1.01 07/22/09 T. Ostrander 1.02 7/23/09 Dave Goodman Update by application point of contact 1.03 7~3~9 D.Brizendine Document review Page iii Changed 24, 25, 26, 26.1 Date: July 31, 2009 Table of Contents 1 PURPOSE OF DOCUMENT ................................................................................................1 2 SYSTEM INFORMATION ...................................................................................................2 3 DATA INFORMATION ........................................................................................................4 3.1 Data Collection ....................................................................................................................4 3.2 Data Use ...............................................................................................................................5 6 3.3 Data Retention ..................................................................................................................... 3.4 Data Sharing ........................................................................................................................ 7 3.5 Data Access ..........................................................................................................................7 3.6 Customer Protection ........................................................................................................... 8 4 1 SYSTEM OF RECORD ......................................................................................................... 5 TECHNOLOGY .....................................................................................................................1 6 COMPLETION INSTRUCTIONS .......................................................................................2 Page iv Date: July 31,2009 1 Purpose of Document USDA DM 3515-002 states: "Agencies are responsible for initiating the PIA in the early stages of the development of a system and to ensure that the PIA is completed as part of the required System Life Cycle (SLC) revie~vs. Systems include data from applications housed on mainframes, personal computers, and applications developed for the Web and agency databases. Privacy must be considered when requirements are being analyzed and decisions are being made about data usage and system design. This applies to all of the development methodologies and system life cycles used in USDA. Both the system owners and system developers must work together to complete the PIA. System owners must address what data are used, how the data are used, and who will use the data. System owners also need to address the privacy implications that result from the use of new technologies (e.g., caller identification). The system developers must address ~vhether the implementation of the owner’s requirements presents any threats to privacy." Re Privacy Impact Assessment (PIA) document contains information on how the Electronic Loan Deficiency Payments affects the privacy of its users and the information stored within. This assessment is in accordance with NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems. Page ! Date: July 23, 2009 2 System Information System Information Agency: Farm Service Agency System Nan~e: Electronic Loan Deficiency Payments System Type: [] Major Application [] General Support System [] Non-major Application System Categorization (per FIPS 199): [] High [] Moderate [] Low To establish eligibility the applicant/producer is required to visit their local FSA Service Center (SC) where program eligibility data is determined and recorded. The Internet-based eLDP application process can subsequently be accessed by the producer using an electronic Authentication (eAuth) assigned identification and password, or entered by a SC employee on behalf of the producer. The eLDP request is submitted for processing and once the payment request is certified, funds are automatically routed by electronic funds transfer to the producer’s direct deposit account. This typically occurs within 48 hours. Listings of processed transactions are viewable online by SC and Kansas City Finance Office (KCFO) accounting personnel. Notification to producers is forwarded immediately via email to confirm the receipt of an eLDP application. Description of System: This application allows FSA to provide agricultural producers with more convenient, efficient, and flexible services while reducing the amount of prompt payment interest paid by the Commodity Credit Corporation (CCC) to producers in the process. Who owns this system? (Nanae, agency, contact information) Fred Gustafson (816) 926-2137 Fred.Gustafson(~,kcc.usda.~ov Who is the security contact for this system? (Name, agency, contact information) Brian Davies Information System Security Program Manager (ISSPM) U.S. Department of Agriculture Farm Service Agency 1400 Independence Avenue SW Washington, D.C. 20250 (202) 720-2419 brian.davies,~,wdc.usda.~ov Page 2 Date: July 31, 2009 Who completed this document? (Name, agency, contact information) Page 3 David Goodman (816) 926-2136 David.Goodman(~kcc usda.~ov Date: July 31, 2009 3 Data Information 3.1 Data Collection Soo Response Question Electronic Loan Deficiency Payments (eLDP)-Web: Social Security/Tax ID Number, name, address, entity type. Cotton receipt data, acreage/production data, AGI/Permitted Entity and Eligibility data. 1 Generally describe the data to be used in the system. 2 Does the system collect Social Security Numbers (SSNs) or Taxpayer Identification Numbers (TINs)? [] Yes [] No - If NO, go to question 3. 2.1 State the law or regulation that requires the collection of this information. FSA Accounting systems require SSN in order to issue payments. 3 ls the use of the data both relevant and necessary to the purpose for which the system is being designed? In other words, the data is absolutely needed and has significant and demonstrable bearing on the system’s purpose as required by statute or by Executive order of he President. [] Yes 4 Sources of the data in the system. SCIMS (name & address), COPS (cotton receipt data), Compliance (acreage data), AGI & Eligibility web services. 4.1 7qhat data is being collected from the customer? Acreage/Production information Eligibility information Producer information Customer profile - including Social Security/Tax 1D Number, name, address. 4.2 What USDA agencies are providing data for use in the system? SCIMS (name & address), COPS (cotton receipt data), Compliance (acreage data), AGI & Eligibility web services, all originating from FSA. 4.3 What state and local agencies are providing data for use in the system? From what other third party sources is data being collected? n/a 4.4 Page 4 [] No laJa Date: July 31, 2009 5 Response Question No. Will data be collected from sources outside [] Yes your agency? For example, customers, USDA[] No - If NO, go to question sources (i.e., NFC, RD, etc.) or Non-USDA sources. 5.1 How will the data collected from customers beReasonability checks through eligibility and verified for accuracy, relevance, timeliness, profile processes (i.e. certification). and completeness? 5.2 How will the data collected from USDA sources be verified for accuracy, relevance, timeliness, and completeness? 5.3 How will the data collected from non-USDA Reasonability checks through eligibility and sources be verified for accuracy, relevance, profile processes (i.e. certification). :imeliness, and completeness? Profile and application disbursement certification, 3.2 Data Use Question [ Response 6 The Individuals must be informed in writing of the FSA Cooperative Marketing Association principal purpose of the infomaation being System (CMA) is a National Computer collected from them. What is the principal System that is designed, maintained and operated to allow marketing cooperatives the purpose of the data being collected? ability to provide Cooperative Marketing Associations (CMAs) and Loan Servicing Agents (LSAs) timely and accurate eligibility, farm record and payment limitation .data i~ order to determine producer eligibility for obtaining marketing assistance loans, loans and loan deficiency payments (LDP) through CMA’s, LSAs and DMAs. 7 Will the data be used for any other purpose? 7.1 What are the other purposes? 8 [] Yes Is the use of the data both relevant and necessary to the purpose for which the system [] No is being designed? In other words, the data is absolutely needed and has significant and demonstrable bearing on the system’s purpose as required by statute or by Executive order of the President Page 5 [] Yes [] No - If NO, go to question 8. Date: July 31,2009 Response No. Question [] Yes 9 Will the system derive new data or create previously unavailable data about an individnal No - lfNO, go to question 10. [] through aggregation from the information collected (i.e., aggregating farm loans by zip codes in which only one farm exists.)? 9.1 Will the new data be placed in the individual’s] Yes [ record (customer or employee)? [] No 9.2 Can the system make determinations about customers or emp!oyees that would not be possible without the new data? 9.3 S How will the new data be verified for relevance ystem and manual validations. and accuracy? [] Yes [] No Individuals must be informed in writing of the o report/track payments by entity/producer. T routine uses of the information being collected from them. What are the intended routine uses of the data being collected? 11 Will the data be used for any other uses (routine [] Yes or otherwise)? [] No - lfNO, go to question 12. 10 11.1 What are the other uses? 12 Automation of systems can lead to the [] Yes consolidation of data - bringing data from [] No- lfNO, go to question 13. multiple sources into one central location!system - and consolidation of adminlstfafive controis~ When adthinistrative controls are consolidated, they should be evaluated so that all necessary privacy controls remain in place to the degree necessary to continue to control access to and use of the data. Is data being consolidated? 12.l What controls are in place to protect the data and prevent unauthorized access? 13 Are processes being consolidated? Profile and application disbursement certification. [] Yes [] No - If NO, go to question 14. 13.1 What controls are in place to protect the data eAuthentication and role-based authorization. and prevent unauthorized access? 3.3 Data Retention Noel Question Is the data periodically purged from the system? Page 6 t ResPonse [] Yes [] No - If NO, go to question 15. Date: July 31, 2009 Question No. i 14.1 How long is the data retained whether it is on ~aper, electronic, in the system or in a backup? Indefinitely. Response What are the procedures for purging the data at Data is retained indefinitely; however data can be archived on removable media. the end of the retention period? RFA documents. 14.3 Where are these procedures documented? 14.2 15 While the data is retained in the system, what As per FSA Policy and Procedures. are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations? 16 Is the data retained in the system the minimum Yes [] necessary for the proper performance of a [] No documented agency function? 3.4 Data Sharing 17 17.1 Will other agencies share data or have access to Yes [] data in this system (i.e., international, federal,[] No - If NO, go to question 18. state, local, other, etc.)? How will the data be used by the other agency? 17.2 Who is responsible for assuring the other agency properly uses the data? 18 Is the data transmitted to another agency or an [] Yes independent site? [] No - If NO, go to question 19. 18.1 Is there appropriate agreement in place to document the interconnection and ensure the PII and/or Privacy Act data is appropriately ~rotected? 19 ls the system operated in more than one site? [] Yes [] No - If NO, go to question 20. 19.1 How will consistent use of the system and data be maintained in all sites? 3.5 Data Access No~ [ 20 Page 7 Question Response Who will have access to the data in the system UsersfManagers access data through a web(i.e., users, managers, system administrators, based interface. developers, etc.)? Date: July 31, 2009 NO. Response Question eAuthentication (Usemame/Password) & EAS authorization process maintained by Security staff: 21 How will user access to the data be determined? 21.1 [] Yes Are criteria, procedures, controls, and responsibilities regarding user access [] No documented? How will user access to the data be restricted? Producer can only obtain information on his/her application. State, County, and National employees have role-based access. 22 22.1 23 [] Yes Are procedures in place to detect or deter browsing or unauthorized user access? [] No Does the system employ security controls to [] Yes make information unusable to unauthorized [] No individuals (i.e., encryption, strong mthentication procedures, etc.)? 3.6 Customer Protection No. ] Question I Response Who will be responsible for protecting the USDAPrivacyOffice privacy rights of the customers and employees affected by the interface (i.e., office, person, departmental position, etc.)? ttow c-aa customers and employees-contact the:By Contacting John Under~o0di2yivacy~,.- " O office or person responsible for protecting their fficer, atjohn.underwood(~kcc.usda.gov& 816.926.6992 privacy rights? [] Yes - If YES, go to question 27. 26 A "breach" refers to a situation where data and!or information assets are unduly exposed. Common FSA incident reporting process. Is a breach notification policy in place for this[] No system? 24 26.! If NO, please enter the Plan of Action and vlilestones (POA&M) number with the ~stimated completion date. 27 [] Yes Consider the following: [] No - If NO, go to question 28. Consolidation and linkage of files and systems Appeal process (manual not system driven) Derivation of data Accelerated information processing and decision making Use of new technologies Is there a potential to deprive a customer of due process rights (fundamental rules of fairness)? Page 8 Date: July 31, 2009 NO, ’ Question 27.1 Explain how this will be mitigated? 28 How will the system and its use ensure equitable treatment of customers? Response All users use the same system... System cannot be circumvented unless through manual intervention. [ 29 Is there any possibility of treating customers or ] Yes employees differently based upon their [] No - If NO, go to question 30 ndividual or group characteristics? None, all users use the same system. 29.1 Explain Page 9 Date: July 31, 2009 4 System of Record No. Question Response 30 Can the data be retrieved by a personal [] Yes identifier? In other words, does the system [] No - lfNO, go to question 31 actually retrieve data by the name of an individual or by some other unique number, symbol, or identifying attribute of the individual? 30.1 How will the data be retrieved? In other words, SSN or SCIMS unique I.D. what is the identifying attribute (i.e., employee number, social security number, etc.)? 30.2 Under which Systems of Record (SOR) notice USDA/PSA-2 - Farm Records File does the system operate? Provide number, Automated) name and publication date. (SORs can be viewed at www.access.GPO.gov.) 30.3 If the system is being modified, will the SOR [] Yes require amendment or revision? [] No Page I Date: July 23, 2009 5 Technology No. Question Response 31 Is the system using technologies in ways not [] Yes previously employed by the agency (e.g., [] No - If NO, the questiormaire is complete. Caller-ID)? 31.1 How does the use of this technology affect customer privacy? Page 1 Date: July 23, 2009 6 Completion Instructions Upon completion of this Privacy Impact Assessment for this system, the answer to OMB A-11, Planning, Budgeting, Acquisition and Management of Capital Assets, Part 7, Section E, Question 8c is: 1. Yes. PLEASE SUBMIT A COPY TO THE OFFICE OF THE ASSOCIATE CHIEF INFORMATION OFFICE FOR CYBER SECURITY. Page 2 Date: July 31, 2009