Privacy Impact Assessment
(PIA)
Financial Management Systems-SCOAP
(FMS-SCOAP)
Revision: 1.01
Farm Service Agency
Date: May 13, 2010
��Privacy Impact Assessment for
Financial Management Systems-SCOAP
(FMS-SCOAP)
Document Information
Business Owner Details
Name
Dennis Taitano
Contact Number
(202) 720-3674
E-mail Address
Dennis.Taitano@wdc.usda.gov
Document Revision and History
Revision
1.01
Page ii
Date
May 13, 2010
Author
Anita Trader, ISO DR
Comments
Initial version for 2010 copied from
2009 FMS PIA
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
(FMS-SCOAP)
Table of Contents
1 PURPOSE OF DOCUMENT ............................................................................................1
2 SYSTEM INFORMATION ...............................................................................................2
3 DATA INFORMATION ....................................................................................................3
3.1 Data Collection ....................................................................................................... 3
3.2 Data Use ............................................................................................................................4
3.3 Data Retention........................................................................................................ 5
3.4 Data Sharing ....................................................................................................... 6
3.5 Data Access .......................................................................................................... 7
3.6 Customer Protection................................................................................................... 8
4 SYSTEM OF RECORD .................................................................................................. 10
5 TECHNOLOGY .............................................................................................................. 11
6 COMPLETION INSTRUCTIONS ................................................................................ 12
Page iii
Date: May 13, 2010
���Privacy Impact Assessment for
Financial Management Systems-SCOAP
(FMS-SCOAP)
1 Purpose of Document
USDA DM 3515-002 states: “Agencies are responsible for initiating the PIA in the early stages
of the development of a system and to ensure that the PIA is completed as part of the required
System Life Cycle (SLC) reviews. Systems include data from applications housed on
mainframes, personal computers, and applications developed for the Web and agency databases.
Privacy must be considered when requirements are being analyzed and decisions are being made
about data usage and system design. This applies to all of the development methodologies and
system life cycles used in USDA.
Both the system owners and system developers must work together to complete the PIA. System
owners must address what data are used, how the data are used, and who will use the data.
System owners also need to address the privacy implications that result from the use of new
technologies (e.g., caller identification). The system developers must address whether the
implementation of the owner’s requirements presents any threats to privacy.”
The Privacy Impact Assessment (PIA) document contains information on how the Financial
Management Systems-SCOAP affects the privacy of its users and the information stored
within. This assessment is in accordance with NIST SP 800-37 Guide for the Security
Certification and Accreditation ofFederal Information Systems.
Page1
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
2 System Information
System Information
Agency:
Farm Service Agency
System Name:
Financial Management Systems-SCOAP
System Type:
Major Application
General Support System
Non-major Application
System Categorization
(per FIPS 199):
High
Moderate
Low
Description of System:
Who owns this system?
(Name, agency, contact
information)
Financial Management System (FMS) State and County Office Automated
Project (SCOAP), which collects service center accounting transactions
transmitted from the State and Counties, the National Payment Service
(NPS), and National Receipts and Receivables System (NRRS) and passes
validated data to CORE for the generation of accounting entries.
Angela Sieg
FSA/ITSD/ADC/AFAO
6501 Beacon Drive
Kansas City MO 64133
(816) 926-1568
Angela.Sieg@kcc.usda.gov
Who is the security
contact for this system?
(Name, agency, contact
information)
Brian Davies
Information System Security Program Manager (IS SPM)
U.S. Department of Agriculture
Farm Service Agency
1400 Independence Avenue SW
Who completed this
document? (Name,
agency, contact
information)
Washington, D.C. 20250
(202) 720-2419
brian.davies@wdc.usda.gov
Thomas Cranwill
6501 Beacon Drive
Kansas City MO 64133
(816) 926-2154
thomas.cranwill@kcc.usda.gov
Page 2
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
3 Data Information
3.1 Data Collection
No.
1
Question
Generally describe the data to be used in the
system.
2
Does the system collect Social Security
Numbers (SSNs) or Taxpayer Identification
Numbers (TINs)?
2.1
State the law or regulation that requires the
collection of this information.
3
Is the use of the data both relevant and
necessary to the purpose for which the system
is being designed? In other words, the data is
absolutely needed and has significant and
demonstrable bearing on the system’s purpose
as required by statute or by Executive order of
the President.
Sources of the data in the system.
4
Response
Detail transaction data is passed to multiple
subsidiary systems and also retained in FMSSCOAP (SCOAP2 database).
Yes
No – If NO, go to question 3.
The Commodity Credit Corporation Charter
Act (15 U.S.C. 714 et seq.) and Executive
Order 9397.
Ye
s
No
Manual inputs by FSA employees;
Financial Management System -- State & County
Office Automation Project (FMS-SCOAP)
4.1
What data is being collected from the
customer?
4.2
What USDA agencies are providing data for
use in the system?
4.3
What state and local agencies are providing
data for use in the system?
From what other third party sources is data
being collected?
4.4
5
Page 4
Will data be collected from sources outside
your agency? For example, customers, USDA
sources (i.e., NFC, RD, etc.) or Non-USDA
sources.
Financial Management Reporting System Data
Warehouse:
Detail transaction data is received from FMSSCOAP. Summary transaction data is passed from
Name, Address, SSN, TIN
N/A
none
Cotton Cooperatives, Peanut Marketing
Association, banking institutions, CADE Data
File, Farmers, Producers, vendors.
Yes
No – If NO, go to question 6.
Customer information is collected by FSA State and
County offices.
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
No.
5.1
Question
How will the data collected from customers be
verified for accuracy, relevance, timeliness,
and completeness?
Response
Accuracy will be verified using:
Standard Accounting Practices; CTCS has
Interface stats reports and balancing controls,
Automated system validations.
Completeness will be checked using a mixture
of human and automated review by:
-System edit validations,
-Daily balancing comparing General Ledger
activity with applicable subsidiaries.
-Each payment must contain minimal FSA
accounting information or the payment will be
rejected. Service Center employees are
responsible for the ‘certification’ approval and
‘signing’ approval of each payment request.
-Control records on batch interface files
5.2
How will the data collected from USDA
sources be verified for accuracy, relevance,
timeliness, and completeness?
See 5.1 above
5.3
How will the data collected from non-USDA
sources be verified for accuracy, relevance,
timeliness, and completeness?
See 5.1 above
3.2 Data Use
No.
6
7
7.1
8
Page 5
Question
Individuals must be informed in writing of the
principal purpose of the information being
collected from them. What is the principal
purpose of the data being collected?
Will the data be used for any other purpose?
Response
FOIA provides member payment data (1614) to
requesting organizations for statistical and public
reporting.
Yes
No – If NO, go to question 8.
What are the other purposes?
Is the use of the data both relevant and
necessary to the purpose for which the system
is being designed? In other words, the data is
absolutely needed and has significant and
demonstrable bearing on the system’s purpose
as required by statute or by Executive order of
the President
Ye
s
No
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
No.
9
Question
Will the system derive new data or create
previously unavailable data about an individual
through aggregation from the information
collected (i.e., aggregating farm loans by zip
codes in which only one farm exists.)?
9.1 Will the new data be placed in the individual’s
record (customer or employee)?
9.2 Can the system make determinations about
customers or employees that would not be
possible without the new data?
9.3 How will the new data be verified for relevance
and accuracy?
10 Individuals must be informed in writing of the
routine uses of the information being collected
from them. What are the intended routine uses
of the data being collected?
11 Will the data be used for any other uses (routine
or otherwise)?
11.1 What are the other uses?
12 Automation of systems can lead to the
consolidation of data – bringing data from
multiple sources into one central
location/system – and consolidation of
administrative controls. When administrative
controls are consolidated, they should be
evaluated so that all necessary privacy controls
remain in place to the degree necessary to
continue to control access to and use of the
data. Is data being consolidated?
12.1 What controls are in place to protect the data
and prevent unauthorized access?
13
Are processes being consolidated?
Response
Yes
No – If NO, go to question 10.
Ye
s
Ye
s
No
The data is used for service center and National
Payment Service (NPS) accounting transactions.
Yes
No – If NO, go to question 12.
Yes
No – If NO, go to question 13.
FOIA provides member payment data (1614) to
requesting organizations for statistical and public
reporting.
Yes
No – If NO, go to question 14.
13.1 What controls are in place to protect the data
and prevent unauthorized access?
3.3 Data Retention
No.
Page 6
Question
Response
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
No.
14
Question
Is the data periodically purged from the
system?
Response
Yes
No – If NO, go to question 15.
14.1 How long is the data retained whether it is on
paper, electronic, in the system or in a backup?
Up to 6 years and longer in some instances.
14.2 What are the procedures for purging the data at
the end of the retention period?
Refer to USDA standard media disposal policy
and procedure found in FSA 6-IRM and USDA
DR 3601-001
Refer to USDA standard media disposal policy
and procedure found in FSA 6-IRM and USDA
DR 3601-001
14.3 Where are these procedures documented?
15
While the data is retained in the system, what
are the requirements for determining if the data
is still sufficiently accurate, relevant, timely,
and complete to ensure fairness in making
determinations?
16
Is the data retained in the system the minimum
necessary for the proper performance of a
documented agency function?
Data, after completion is not altered. The
information is protected by agency policies and the
security controls issued by USDA. The key is to
ensure the accuracy of this data prior to entering it
into the system. The key method utilized is the
Acceptance Testing process.
Ye
s
No
3.4 Data Sharing
No.
17
Question
Will other agencies share data or have access to
data in this system (i.e., international, federal,
state, local, other, etc.)?
Response
Yes
No – If NO, go to question 18.
Financial Management System:
Data from 1614 is extracted from FMRS and
provided to the FOIA group for disbursement
IRS Reporting System: IRS , Government
Agencies upon request, FOIA requests.
17.1
How will the data be used by the other agency? Financial Management System:
FOIA provides member payment data (1614) to
requesting organizations for statistical and public
reporting.
CORE: Eliminations entry for financial
statements.
IRS Reporting System: Reporting information to
the IRS
Page 7
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
No.
Question
17.2 Who is responsible for assuring the other
agency properly uses the data?
Response
Financial Management System: FOIA
CORE: Receiving agency is responsible for
following OMB guidance.
IRS Reporting System: FSA/FMD
18
Is the data transmitted to another agency or an
independent site?
18.1 Is there appropriate agreement in place to
document the interconnection and ensure the
PII and/or Privacy Act data is appropriately
protected?
19 Is the system operated in more than one site?
Yes
No – If NO, go to question 19.
Yes
No – If NO, go to question 20.
Financial Management System & CORE: - No
IRS Reporting System: Yes
19.1 How will consistent use of the system and data
be maintained in all sites?
IRS Reporting System: Consult 61RM for details
of the configuration management process for this
system.
3.5 Data Access
No.
20
21
21.1
22
22.1
Page 8
Question
Who will have access to the data in the system
(i.e., users, managers, system administrators,
developers, etc.)?
How will user access to the data be
determined?
Are criteria, procedures, controls, and
responsibilities regarding user access
documented?
How will user access to the data be restricted?
Are procedures in place to detect or deter
browsing or unauthorized user access?
Response
Users, Managers, System Administrators,
Developers
Data is segregated by functional responsibility.
FAO maintains the internal application security
table
Ye
s
No
No restrictions to read data. Write capabilities are
restricted by User ID. FAO maintains the internal
application security table.
Ye
s
No
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
No.
23
Question
Does the system employ security controls to
make information unusable to unauthorized
individuals (i.e., encryption, strong
authentication procedures, etc.)?
Response
Ye
s
No
3.6 Customer Protection
No.
24
25
26
Question
Who will be responsible for protecting the
privacy rights of the customers and employees
affected by the interface (i.e., office, person,
departmental position, etc.)?
How can customers and employees contact the
office or person responsible for protecting their
privacy rights?
A “breach” refers to a situation where data
and/or information assets are unduly exposed.
Is a breach notification policy in place for this
system?
26.1 If NO, please enter the Plan of Action and
Milestones (POA&M) number with the
estimated completion date.
27 Consider the following:
Consolidation and linkage of files and
systems
Derivation of data
Accelerated information processing and
decision making
Use of new technologies
Is there a potential to deprive a customer of due
process rights (fundamental rules of fairness)?
Response
Production Adjustment and Risk Management
Office and USDA Privacy Office.
FSA National Help Desk at (800)-255-2434 or the
Centralized Help Desk at 800-457-3642 or
By contacting John W. Underwood, Privacy
Officer, at
FSA Privacy Act Officer / FSA PII Officer
USDA - Farm Service Agency
Beacon Facility - Mail Stop 8388
9240 Troost Avenue
Kansas City, Missouri 6413 1-3055
Phone: 816-926-6992
Cell: 816-564-8950
Fax: 816-448-5833
mailto:john.underwood@kcc.usda.gov
Yes – If YES, go to question 27.
Common FSA incident reporting process.
No
Yes
No – If NO, go to question 28.
27.1 Explain how this will be mitigated?
Page 9
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
No.
28
Question
How will the system and its use ensure
equitable treatment of customers?
29
Is there any possibility of treating customers or
employees differently based upon their
individual or group characteristics?
Response
The Financial Management Systems are
implemented using a methodology that
ensures data processing will be accomplished in
the same manner for all customers.
Yes
No – If NO, go to question 30
29.1 Explain
Page 10
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
4 System of Record
No.
30
30.1
Question
Can the data be retrieved by a personal
identifier? In other words, does the system
actually retrieve data by the name of an
individual or by some other unique number,
symbol, or identifying attribute of the
individual?
How will the data be retrieved? In other
words, what is the identifying attribute (i.e.,
employee number, social security number,
etc.)?
30.2
Under which Systems of Record (SOR)
notice does the system operate? Provide
number, name and publication date. (SORs
can be viewed at www.access.GPO.gov.)
30.3
If the system is being modified, will the SOR
require amendment or revision?
Page 11
Response
Yes
No – If NO, go to question 31
Data is retrieved based on level it was recorded.
Financial Management Systems and FMRS :
SSN
Farm Records File (Automated) USDA FSA-2,
Applicant Borrower, USDA/F SA-14
Ye
s
No
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
5 Technology
No.
31
Question
Is the system using technologies in ways not
previously employed by the agency (e.g.,
Caller-ID)?
Response
Yes
No – If NO, the questionnaire is complete.
31.1 How does the use of this technology affect
customer privacy?
Page 12
Date: May 13, 2010
�Privacy Impact Assessment for
Financial Management Systems-SCOAP
(FMS-SCOAP)
6 Completion Instructions
Upon completion of this Privacy Impact Assessment for this system, the answer to OMB A-1 1,
Planning, Budgeting, Acquisition and Management of Capital Assets, Part 7, Section E, Question
8cis:
1.Yes.
PLEASE SUBMIT A COPY TO THE OFFICE OF THE ASSOCIATE CHIEF INFORMATION
OFFICE FOR CYBER SECURITY.
Page 13
Date: May 13, 2010
�
