Download:
pdf |
pdfTemplate Version Number:01-2021
U.S. Department of Commerce
National Oceanic & Atmospheric Administration
Privacy Impact Assessment for the
NOAA4400
Southeast Fisheries Science Center (SEFSC)
Reviewed by: Mark Graff, Bureau Chief Privacy Officer _________________________________
伫
✔ Concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
伫 Non-concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
GRAFF.MARK.HYRUM.151444
7892
Digitally signed by
GRAFF.MARK.HYRUM.1514447892
Date: 2025.02.20 16:16:39 -05'00'
Signature of Senior Agency Official for Privacy/DOC Chief Privacy Officer
20 Feb 25
Date
�Template Version Number:01-2021
U.S. Department of Commerce Privacy Impact Assessment
NOAA4400 – Southeast Fisheries Science Center
Unique Project Identifier: NOAA4400
Introduction: System Description
The Southeast Fisheries Science Center (SEFSC) is a general support system that conducts multidisciplinary research programs to provide management information to support national and regional
programs of NOAA's National Marine Fisheries Service (NMFS) and to respond to the needs of Regional
Fishery Management Councils, Interstate and International Fishery Commission, Fishery Development
Foundations, government agencies, and the general public.
The Southeast Fisheries Science Center (SEFSC) provides the scientific advice and data needed to
effectively manage the living marine resources of the Southeast region and Atlantic high seas. We work
closely with NOAA Fisheries Southeast Regional Office to provide independent, objective science.
Our multidisciplinary research informs natural resource management. Fisheries management councils,
fisheries commissions, and federal, state and local agencies depend on our science to make decisions that
protect and conserve the region’s living marine resources.
In general, SEFSC develops the scientific information required for:
Fishery resource conservation
Fishery development and utilization
Habitat conservation
Protection of marine mammals and endangered marine species
The Research is based on the impact analyses and environmental assessments for management plans and
international negotiations, and is pursued to address specific
needs in the following fields:
Population dynamics
Fishery biology
Fishery economics
Engineering and gear development
Protected species biology
Address the following elements:
(a) Whether it is a general support system, major application, or other type of system.
The NOAA4400 is a general support system.
�Template Version Number:01-2021
(b) System location
The Southeast Fisheries Science Center (SEFSC) main office is headquartered in Miami, FL, and
oversees the operation for the Labs located at Beaufort, SC, Panama City, FL, Pascagoula, MS, and
Galveston, TX. Note: only the Miami, FL location has PII/BII.
(c) Whether it is a standalone system or interconnects with other systems (identifying and
describing any other systems to which it interconnects)
The SEFSC is headquartered in Miami, FL and interconnects with Atlantic Coastal Cooperative
Statistics Program (ACCSP);* NOAA0100, NOAA0550, NOAA4000; NOAA4200, and
NOAA4300. The NMFS interconnections all connect via the NMFS WAN and are primarily used
for database connections to provide data to NMFS science centers and regional offices; and as per
the connection with ACCSP, all data is encrypted using the oracle native encryption (sqlnet.ora),
and Transport Layer Security (TLS). In case the Virtual Private Network (VPN) does not work, we
have an encrypted connection, and in case the VPN does not work, we are still protected by using
our existing encrypted connection plus the VPN.
The data being shared amongst these systems consists of aggregated fishery and marine life data;
and minimum Personally Identifiable Information (PII) and Business Identifiable Information (BII)
needed to maintain the system operation. Authorized personnel use this data for research purposes,
and they access this data following access controls put in place by each system following the
guidelines of the current National Institute of Standards and Technology (NIST) Information
Technology ( IT) Security standard.
The SEFSC is responsible for scientific research on living marine resources that occupy marine and
estuarine habits of the continental southeastern United States, as well as Puerto Rico and the U.S.
Virgin Islands. The SEFSC is one of the six national marine fisheries science centers’ responsible
for federal marine fishery research programs.
*Note: NOAA0100 is the NOAA Cyber Security Center (NCSC) and everyone at NOAA must
connect to them. Information is only exchanged when an incident is declared or something
extraordinary happens. NOAA0100 is not a new interconnection, it is being added for accuracy.
(d) The way the system operates to achieve the purpose(s) identified in Section 4
The PII/BII in the IT system is being collected, maintained, or disseminated for (a) administrative
matters, (b) civil enforcement activities, and (c) criminal law enforcement activities if needed.
NOAA4400 does not collect Social Security Numbers (SSNs) or Employer Identification Numbers
(EINs); however, the organization gathers some minimum PII as captain’s names, business
addresses, and phone numbers, and this information is used for processes such as (d) compliance ensuring logbooks are submitted as required; (e) mailing (logbooks, permits, etc.); (f) uses mailing
address of record; (g) providing Highly Migratory Species (HMS) regulations and species guides to
�Template Version Number:01-2021
Atlantic Tournaments; and (h) for online no-fish electronic reporting - account creation and
mailing.
The integration Unmanned Aircraft System (UAS) “drones” into SEFSC Protected Resources and
Biodiversity Division operations allow for additional information to be gathered during operations,
including aerial photo-identification and dorsal photography that allow for assessments of
individual organism growth, health, body condition, and reproductive status and provide more
accurate estimates of group sizes and group membership.
NOAA4400 could also utilize UAS to locate and assess stranded animals in areas difficult to access.
Outside of the protected resources applications, regular or opportunistic UAS deployments could
also be used to identify and, if coupled with acoustic data, determine the three-dimensional extent
and density of schooling pelagic fishes (e.g., menhadens, tunas), which could ultimately be utilized
to estimate the biomass. UAS could also be utilized to support additional projects yielding data on
the marine environment, including on critical habitats and seawater chemistry, to name a few.
UAS: The use of UAS has the potential for inadvertent collection of PII, such as images of
individuals along the coastlines that are within the area of study by the UAS vehicle. However, no
information retrieval using any unique identifier within Survey datasets will be conducted, and any
PII inadvertently collected will be deleted within 30 days. NOAA4400 does not use any application
capable of facial recognition within any captured images. It is anticipated that the UAS collected
imagery will be at a resolution to meet organizational needs, but it would not have the ability
(resolution or clarity) to identify any individuals uniquely.
If the drone goes down during flight, the retrieval of the unit would be at the operator's discretion
based on safety and technical factors. Inadvertently obtained PII captured during the flight could be
retrieved by others if technically possible from the damaged drone. NOAA4400 closely collaborate
with the Office of Coast Survey (OCS), and OCS is compliant with all policies and procedures
posted on the UAS.noaa.gov site along with the NOAA Unmanned Aircraft System Privacy Policy.
(e) How information in the system is retrieved by the user
NOAA4400 has a Fisheries Logbook System (FLS) which collects vessel and captain's names,
numbers of each species caught, the numbers of animals retained or discarded alive or discarded
dead, the location of the set, the types and size of gear, the duration of the set, port of departure and
return, unloading dealer and location, number of sets, number of crew, date of departure and
landing, and an estimate of the fishing time. NOAA4400 collect the job title of individual
completing the logbook, and their telephone numbers as well.
The user retrieves information in the system after following multiple conditions that have been
implemented, system-wide, to restrict the user from selecting incorrect options, including database
fields and values. In addition, after the data is collected and validated, numerous Quality Assurance
Quality Control (QAQC) reports are run to confirm the data's accuracy.
The specific ways a user can retrieve the information are through Structured Query Language
(SQL), Statistical Analysis System (SAS), R, Oracle, and APEX queries. Access to the systems
�Template Version Number:01-2021
requires special permissions, and the data is encrypted at rest.
Access to the system is granted based on specific roles and very few users can access the whole
system.
Logs for every operation (no exceptions) are generated, collected, and kept indefinitely, allowing
the reconstruction and analysis of any event that might happen at a particular point.
Operation logs are generated with time and location.
ACCSP pulls data using an encrypted SQLNET connection over a dynamic VPN to NOAA Head
Quarters (4000). Data are retrieved by the authenticated end-users and state fisheries administrators
through the ACCSP Warehouse. Federal agencies who have an Interconnect Security Agreement
may retrieve the data from the ACCSP Warehouse or Standard Atlantic Fisheries Information
System (SAFIS) databases, follow agreed-upon secure data transfer protocols, and provide access
to their users through their local data delivery processes appropriate.
All internal data and resources are retrieved using Government Furnished Equipment (GFE)
through approved applications to open, review, verify, and securely delete information. Internal
resources are secured through defense-in-depth with layered security such as physical access,
firewalls, active directory, access controls, permission, etc.
Internal Common Access Card (CAC) authenticated users can utilize (based on permissions) data
stored in Portable Document Format (PDF), Files, and databases through networked client’s
devices and NOAA VPN service for remote access. NOAA4400 uses Google services for email
and collaboration services.
(f) How information is transmitted to and from the system
All data is encrypted at rest and during transit and is handled by the Database Administrator in an
Oracle System. The information is secured via both administrative and technological controls. BII
is stored on shared drives that require CAC for access. SEFSC implements the principle of least
privilege and separation of duties to ensure that only personnel with the need to know to have
access to this information.
Logbook data, when entered, is stored on our Oracle Database server. This system uses native
database authentication for user access. The only way to read data on the Oracle Database is to have
access by authenticating it with a username and password.
A computerized database is password-protected, and access is limited. Paper records are
maintained in secured file cabinets in areas that are accessible only to authorized personnel of
NOAA4400.
The ACCSP pulls data using an encrypted SQLNET connection over a dynamic VPN to NOAA
HQ (4000). Data is passed through FIPS 140-2 approved encryption mechanisms (SQLNET
AES256 encrypted sessions) if networks are interconnected. When the information is transmitted to
and from the ACCSP, ACCSP pulls data using an encrypted SQLNET connection over a dynamic
�Template Version Number:01-2021
VPN to NOAA Head Quarters (4000). The connections at each end must be located within
controlled access facilities and protected 24 hours a day.
(g) Any information sharing.
The SEFSC is headquartered in Miami, FL, and interconnects with ACCSP; NOAA4000;
NOAA4200, and NOAA4300. The NMFS interconnections all connect via the NMFS WAN and
are primarily used for database connections to provide data to NMFS science centers and regional
offices, and as per the connection with ACCSP, all data is encrypted using the oracle native
encryption (sqlnet.ora), and TLS. The SEFSC have an encrypted connection in addition of the
VPN, and in case the VPN does not work, the system still protected by using our existing encrypted
connection.
The SEFSC is responsible for scientific research on living marine resources that occupy marine and
estuarine habits of the continental southeastern United States, Puerto Rico, and the U.S. Virgin
Islands. The SEFSC is one of the six national marine fishery science centers’ responsible for
federal marine fishery research programs. NOAA4400 intends to share the collected PII/BII with
(a) within the bureau, (b) with DOC bureaus, and (c) with other federal agencies as needed.
Information within NOAA4400 is collected for research and license and permitting purposes
within the SEFSC. However, in the event of the discovery of criminal activity, or behavior that is in
violation of law or regulation, NOAA4400 may share the information for criminal prosecution or
for the enforcement of administrative or criminal laws and regulations.
As per the connection with ACCSP, data are passed through FIPS 140-2 approved encryption
mechanisms (SQLNET AES256 encrypted sessions) if networks are interconnected. When the
information is transmitted to and from the ACCSP, ACCSP pulls data using an encrypted sqlnet
connection over a dynamic VPN to NOAA HQ (4000). The connections at each end must be
located within controlled access facilities and protected 24 hours a day. Individual users will not
have access to the data except through their system's security software inherent to the operating
system.
�Template Version Number:01-2021
(h) The specific programmatic authorities (statutes or Executive Orders) for collecting,
maintaining, using, and disseminating the information.
Type of Information
Collected
(Introduction h.)
1. Fishermen's
Statistical Data
Applicable SORNs
(Section 9.2)
Programmatic Authorities
(Introduction h.)
NOAA-6
Fish and Wildlife Act as amended (16 U.S.C. 742 et seq.)
Fishery Conservation and Management Act of 1976 as amended (16
U.S.C. 1852)
2. Fisheries Permits NOAA-19
& Registrations
Magnuson-Stevens Fishery Conservation and Management Act, 16
U.S.C. 1801 et seq.
High Seas Fishing Compliance Act of 1995, 16 U.S.C 5501 et seq.
International Fisheries Regulations: Vessels of the United States
Fishing in Colombian Treaty Waters, 50 CFR 300.120
American Fisheries Act, Title II, Public Law No. 105–277
Atlantic Coastal Fisheries Cooperative Management Act of 1993, 16
U.S.C. 5101-5108, as amended 1996
Tuna Conventions Act of 1950, 16 U.S.C. 951-961
Atlantic Tunas Convention Authorization Act, 16 U.S.C., Chapter 16A
Northern Pacific Halibut Act of 1982, 16 U.S.C. 773 et seq.
Antarctic Marine Living Resources Convention Act of 1984, 16 U.S.C.
2431-2444
Western and Central Pacific Fisheries Convention Implementation Act,
16 U.S.C. 6901 et seq.
Dolphin Protection Consumer Information Act, 16 U.S.C. 1385
Marine Mammal Protection Act, 16 U.S.C. 1361 et seq
Commerce, Justice, Science and Related Agencies Act, 2018, Division
B, Section 539 (Pub. L. 115-141)
Taxpayer Identifying Number, 31 U.S.C. 7701
(i) The Federal Information Processing Standards (FIPS) 199 security impact category for the
system
According to FIPS 199, NOAA4400 is classified as a Moderate Impact System, providing
infrastructure and application support for internal systems and data to external NMFS systems.
�Template Version Number:01-2021
Section 1: Status of the Information System
1.1
Indicate whether the information system is a new or existing system.
This is a new information system.
_____ This is an existing information system with changes that create new privacy risks.
(Check all that apply.)
Changes That Create New Privacy Risks (CTCNPR)
a. Conversions
d. Significant Merging
b. Anonymous to Non- Anonymous
e. New Public Access
g. New Interagency Uses
h. Internal Flow or
Collection
i. Alteration in Character
of Data
f. Commercial Sources
c. Significant System
Management Changes
j. Other changes that create new privacy risks (specify):
This is an existing information system in which changes do not create new privacy
risks, and there is not a SAOP approved Privacy Impact Assessment.
X
This is an existing information system in which changes do not create new privacy
risks, and there is a SAOP approved Privacy Impact Assessment.
Section 2: Information in the System
2.1
Indicate what personally identifiable information (PII)/business identifiable information
(BII) is collected, maintained, or disseminated. (Check all that apply.)
Identifying Numbers (IN)
a. Social Security*
f. Driver’s License
b. Taxpayer ID
g. Passport
c. Employer ID
h. Alien Registration
d. Employee ID
i. Credit Card
e. File/Case ID
n. Other identifying numbers (specify):
j. Financial Account
k. Financial Transaction
l. Vehicle Identifier
m. Medical Record
*Explanation for the business need to collect, maintain, or disseminate the Social Security number, including
truncated form:
NOAA4400 collects vessel ID/Documentation Number (#) to trace information back to the required permit.
General Personal Data (GPD)
X
a. Name
b. Maiden Name
c. Alias
d. Sex
h.
i.
j.
k.
Date of Birth
Place of Birth
Home Address
Telephone Number
X
o. Financial Information
p. Medical Information
q. Military Service
r. Criminal Record
�Template Version Number:01-2021
e. Age
l. Email Address
f. Race/Ethnicity
m. Education
g. Citizenship
n. Religion
u. Other general personal data (specify):
Work-Related Data (WRD)
a. Occupation
X
e. Work Email Address
b.
Job Title
X
f.
c.
Work Address
X
g. Work History
d.
Work Telephone
Number
X
h. Employment
Performance Ratings or
other Performance
Information
l.
Other work-related data (specify):
s. Marital Status
t. Mother’s Maiden Name
X
Salary
i.
Business Associates
X
Proprietary or Business
Information
k. Procurement/contracting
records
X
j.
Distinguishing Features/Biometrics (DFB)
a. Fingerprints
f. Scars, Marks, Tattoos
b. Palm Prints
g. Hair Color
c. Voice/Audio Recording
h. Eye Color
X
d. Video Recording
i. Height
e. Photographs
j. Weight
p. Other distinguishing features/biometrics (specify):
k. Signatures
l. Vascular Scans
m. DNA Sample or Profile
n. Retina/Iris Scans
o. Dental Profile
It is anticipated that the UAS collected imagery will be at a resolution to meet organizational
needs, but it does not have the ability (resolution or clarity) to identify any individuals uniquely.
System Administration/Audit Data (SAAD)
X
a. User ID
c. Date/Time of Access
X
b. IP Address
f. Queries Run
g. Other system administration/audit data (specify):
X
X
e. ID Files Accessed
f. Contents of Files
Other Information (specify)
NOAA4400 has a Fisheries Logbook System (FLS) which collects vessel and captains’
names, numbers of each species caught, the numbers of animals retained or discarded alive
or discarded dead, the location of the set, the types and size of gear, the duration of the set,
port of departure and return, unloading dealer and location, number of sets, number of
crew, date of departure and landing, and an estimate of the fishing time.
Fisherman trip and landing statistics are now being collected as well.
X
X
�Template Version Number:01-2021
2.2
Indicate sources of the PII/BII in the system. (Check all that apply.)
Directly from Individual about Whom the Information Pertains
In Person
Hard Copy: Mail/Fax
Telephone
Email
Other (specify):
Government Sources
Within the Bureau
State, Local, Tribal
Other (specify):
X
Non-government Sources
Public Organizations
Third Party Website or Application
X
Online
Other DOC Bureaus
Foreign
X
Other Federal Agencies
Private Sector
X
Commercial Data Brokers
Other (specify):
2.3
Describe how the accuracy of the information in the system is ensured.
Multiple conditions have been implemented, system-wide, to restrict a user from selecting incorrect
options, including database fields and values, and in addition, after the data is collected and validated,
numerous QAQC reports are run to confirm the data accuracy.
The system's access is granted based on specific roles, and very few users can access the whole system.
Logs for every operation (no exceptions) are generated, collected, and kept indefinitely, which allows
the reconstruction and analysis of any event that might happen at a particular point. Operation logs are
generated with time and location.
�Template Version Number:01-2021
2.4
Is the information covered by the Paperwork Reduction Act?
Yes, the information is covered by the Paperwork Reduction Act.
Provide the OMB control number and the agency number for the collection.
X
The Office of Management and Budget (OMB) control numbers are 0648-0670, 06480013, 0648-0543, 0648-0371, 0648-0247, 0648-0151, 0648-0591, 0648-0016, 06480542, 0648-0631, 0648-0770.
No, the information is not covered by the Paperwork Reduction Act.
2.5
Indicate the technologies used that contain PII/BII in ways that have not been previously
deployed. (Check all that apply.)
Technologies Used Containing PII/BII Not Previously Deployed (TUCPBNPD)
Smart Cards
Biometrics
Caller-ID
Personal Identity Verification (PIV) Cards
Other (specify): UAS is being used.
There are not any technologies used that contain PII/BII in ways that have not been previously deployed.
Section 3: System Supported Activities
3.1
Indicate IT system supported activities, which raise privacy risks/concerns. (Check all that
apply.)
Activities
Audio recordings
Building entry readers
X
Video surveillance
Electronic purchase transactions
Other (specify):
NOAA4400 makes use of UAS and has the potential for inadvertent collection of PII. However, no information
retrieval using any unique identifier within Survey datasets will be conducted, and any PII inadvertently collected
will be deleted within 30 days. NOAA4400 does not use any application capable of facial recognition within any
captured images. It is anticipated that the UAS collected imagery will be at a resolution to meet organizational
needs, but it would not have the ability (resolution or clarity) to identify any individuals uniquely.
There are not any IT system supported activities which raise privacy risks/concerns.
Section 4: Purpose of the System
4.1
Indicate why the PII/BII in the IT system is being collected, maintained, or disseminated.
(Check all that apply.)
Purpose
For a Computer Matching Program
For administrative matters
For litigation
X
For administering human resources programs
To promote information sharing initiatives
For criminal law enforcement activities
X
�Template Version Number:01-2021
For civil enforcement activities
To improve Federal services online
For web measurement and customization
technologies (single-session)
Other (specify):
X
For intelligence activities
For employee or customer satisfaction
For web measurement and customization
technologies (multi-session)
Section 5: Use of the Information
5.1
In the context of functional areas (business processes, missions, operations, etc.) supported
by the IT system, describe how the PII/BII that is collected, maintained, or disseminated
will be used. Indicate if the PII/BII identified in Section 2.1 of this document is in
reference to a federal employee/contractor, member of the public, foreign national, visitor
or other (specify).
NOAA4400 collects PII (captain’s name) and BII from logbooks for the purposes of regulating the
applicable fisheries. This information is maintained locally within the NOAA4400 system and is used
only for research and regulatory purposes. This information is collected from members of the public and
shared only within the bureau, other DOC bureaus, and other federal agencies on a case by case basis.
The OMB forms used for data collection are:
· ATLANTIC HIGHLY MIGRATORY SPECIES LOGBOOK TRIP SUMMARY FORM: 0648-0371
· ATLANTIC HIGHLY MIGRATORY SPECIES LOGBOOK - SET FORM: 0648- 0371
- NO FISHING REPORTING FORM: 0648-0016
· SE COASTAL FISHERIES TRIP REPORT FORM: 0648-0016
· SUPPLEMENTAL DISCARD AND GEAR INTERACTION TRIP REPORT FORM: 0648-0016
NOAA4400 makes use of UAS and has the potential for inadvertent collection of PII. However, no
information retrieval using any unique identifier within Survey datasets will be conducted, and any PII
inadvertently collected will be deleted within 30 days. NOAA4400 does not use any application capable
of facial recognition within any captured images. It is anticipated that the UAS collected imagery will be
at a resolution to meet organizational needs, but it would not have the ability (resolution or clarity) to
identify any individuals uniquely.
5.2
Describe any potential threats to privacy, such as insider threat, as a result of the
bureau’s/operating unit’s use of the information, and controls that the
bureau/operating unit has put into place to ensure that the information is handled,
retained, and disposed appropriately. (For example: mandatory training for
system users regarding appropriate handling of information, automatic purging
of information in accordance with the retention schedule, etc.)
�Template Version Number:01-2021
All personnel that work with The Logbook Data are trained annually to help reduce the risk and minimize
the impact of an authorized user intentionally or unintentionally disclosing data and causing adverse effect
to sensitive data and mission. The Logbook data is collected on paper and submitted by the fishermen via
U.S. mail. Some logbooks are submitted via fax. When received, logbooks are scanned and loaded into a
database, validated, and corrected by data entry personnel at SEFSC. The application is for internal use only,
intranet access, and has username/password authentication.
In terms of data access, only the following personnel have access: (a) 4 System Administrators/Developers;
(b) 24 NOAA Data users; (c) 76 users have access to the Logbook images: NOAA Officials, including
Southeast Regional Office, Office of Law Enforcement (OLE), Northeast Highly Migratory Species (NE
HMS), South Atlantic (SA) & Gulf of Mexico Fishery Management Council (GOM Council.) To access the
data, all personnel have a signed NDA. Logbook data is permanently retained.
All data is encrypted at rest and during transit and is handled by the Database Administrator in an Oracle
System. Considering the measures in place, unauthorized access is not likely. More information about
access to the data is given in Section 8.2 as well.
Any PII collected by UAS is incidental, unintentional, and not retained. It is anticipated that the UAS
collected imagery will be at a resolution to meet organizational needs, but it would not have the ability
(resolution or clarity) to identify any individuals uniquely.
Section 6: Information Sharing and Access
6.1
Indicate with whom the bureau intends to share the PII/BII in the IT system and how the
PII/BII will be shared. (Check all that apply.)
Recipient
Within the bureau
DOC bureaus
Federal agencies
State, local, tribal gov’t agencies *
Public
Private sector
Foreign governments
Foreign entities
Case-by-Case
X
X
X
X
How Information will be Shared
Bulk Transfer
Direct Access
X
Other (specify):
* The Atlantic States Marine Fisheries Commission is where ACCSP and Atlantic Coastal Fisheries Information
Network (ACFIN) is located. As an interstate Commission created by Congress – they are between a federal
government and state/local government designation.
The PII/BII in the system will not be shared.
6.2
Does the DOC bureau/operating unit place a limitation on re-dissemination of PII/BII
shared with external agencies/entities?
�Template Version Number:01-2021
Yes, the external agency/entity is required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
X
No, the external agency/entity is not required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the bureau/operating unit does not share PII/BII with external agencies/entities.
6.3
Indicate whether the IT system connects with or receives information from any other
IT systems authorized to process PII and/or BII.
Yes, this IT system connects with or receives information from another IT system(s) authorized to
process PII and/or BII.
Provide the name of the IT system and describe the technical controls which prevent PII/BII leakage:
X
This IT system connects to ACCSP; NOAA0100, NOAA0550, NOAA4000, NOAA4200, and NOAA4300
but does not receive information from another IT system(s) authorized to process PII and/or BII.
No, this IT system does not connect with or receive information from another IT system(s) authorized to
process PII and/or BII.
6.4
Identify the class of users who will have access to the IT system and the PII/BII. (Check
all that apply.)
Class of Users
General Public
Government Employees
X
Contractors
Other (specify): Contract system developers working for ACCSP have access to the PII/BII collected.
Section 7: Notice and Consent
7.1
Indicate whether individuals will be notified if their PII/BII is collected, maintained, or
disseminated by the system. (Check all that apply.)
X
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and
discussed in Section 9.
Yes, notice is provided by a Privacy Act statement and/or privacy policy. The Privacy Act statement
and/or privacy policy can be found at:
X
https://www.fisheries.noaa.gov/national/fisheries-observers/privacy-act-statement
Link to the Logbook can be found at:
.
https://grunt.sefsc.noaa.gov/apex/f?p=128
Note: The PAS can be viewed at the end of this document.
X
�Template Version Number:01-2021
Yes, notice is provided by other means.
Specify how:
X
Notice is given on letters to permit holders explaining permitrelated responsibilities.
No, notice is not provided.
7.2
Specify why not:
Indicate whether and how individuals have an opportunity to decline to provide PII/BII.
Yes, individuals have an opportunity to
decline to provide PII/BII.
Specify how:
Fishers may decline to provide PII/BII by not completing their
logbooks, but this information is required under the MSA and
also is needed to maintain their permits.
X
Link to the Logbook can be found at:
https://grunt.sefsc.noaa.gov/apex/f?p=128
No, individuals do not have an
opportunity to decline to provide
PII/BII.
7.3
Note: The PAS can be viewed at the end of this document.
Specify why not:
Indicate whether and how individuals have an opportunity to consent to particular uses of
their PII/BII.
X
7.4
Yes, individuals have an opportunity to
consent to particular uses of their
PII/BII.
Specify how:
No, individuals do not have an
opportunity to consent to particular uses
of their PII/BII.
Specify why not:
The only uses of the logbook information are research and
regulatory purposes. Consent to these uses is implied by
completion of the logbook.
Indicate whether and how individuals have an opportunity to review/update PII/BII
pertaining to them.
X
Yes, individuals have an opportunity to Specify how:
review/update PII/BII pertaining to
Pursuant to 15 CRF 4.27, Fishers may contact NOAA4400 offices
them.
(the contact information is on the logbook forms) and ask to
review their logbook data.
No, individuals do not have an
opportunity to review/update PII/BII
pertaining to them.
Specify why not:
�Template Version Number:01-2021
Section 8: Administrative and Technological Controls
8.1
Indicate the administrative and technological controls for the system. (Check all that
apply.)
X
X
X
X
X
X
X
X
X
X
X
X
8.2
All users signed a confidentiality agreement or non-disclosure agreement.
All users are subject to a Code of Conduct that includes the requirement for confidentiality.
Staff (employees and contractors) received training on privacy and confidentiality policies and practices.
Access to the PII/BII is restricted to authorized personnel only.
Access to the PII/BII is being monitored, tracked, or recorded.
Explanation: The minimum PII and BII the system collects have the same protection that the Database
server, and all information related to both components is encrypted.
The information is secured in accordance with the Federal Information Security Modernization Act
(FISMA) requirements.
Provide date of most recent Assessment and Authorization (A&A): 03/06/2024
伫 This is a new system. The A&A date will be provided when the A&A package is approved.
The Federal Information Processing Standard (FIPS) 199 security impact category for this system is a
moderate or higher.
NIST Special Publication (SP) 800-122 and NIST SP 800-53 Revision 5 Appendix J recommended
security controls for protecting PII/BII are in place and functioning as intended; or have an approved Plan
of Action and Milestones (POA&M).
A security assessment report has been reviewed for the information system and it has been determined
that there are no additional privacy risks.
Contractors that have access to the system are subject to information security provisions in their contracts
required by DOC policy.
Contracts with customers establish DOC ownership rights over data including PII/BII.
Acceptance of liability for exposure of PII/BII is clearly defined in agreements with customers.
Other (specify): ISSO will work with the COR to ensure appropriate FAR clauses (Subparts 24.1 and 24.2 or
contracts clauses 52.224-1 or 52.224-2) are added to contracts.
Provide a general description of the technologies used to protect PII/BII on the IT system.
(Include data encryption in transit and/or at rest, if applicable).
The potential risk of inappropriate disclosure and/or unauthorized disclosure is mitigated by limiting the number
of authorized system users, providing initial and annual system security training, monitoring authorized user
activity, automatic and immediate notification of unauthorized system access or usage to the system administrator,
documenting user violations, and gradually increasing user reprimands for system violations ranging from a
verbal warning with refresher security training to denial of system access.
Logbook data, when entered, is stored on our Oracle Database server. This system uses native database
authentication and encryption for user access. The only way to read data on the Oracle Database is to have access
by authenticating it with a username and password.
The information is secured via both administrative and technological controls. BII is stored on shared drives that
require CAC for access. SEFSC implements the principle of least privilege and separation of duties to ensure
that only personnel with the need to know to have access to this information.
All NOAA4400 personnel and contractors are instructed on the confidential nature of this information. By
acknowledging the NOAA rules of behavior, account request agreements, etc., all users are recommended to
abide by all statutory and regulatory data confidentiality requirements and only release the data to authorized
users.
�Template Version Number:01-2021
Buildings employ security systems with locks and access limits. Only those that have the need to know
to carry out the official duties of their job, have access to the data. A computerized database is
password-protected, and access is limited. Paper records are maintained in secured file cabinets in
areas accessible only to authorized personnel of NOAA4400.
Section 9: Privacy Act
9.1
Is the PII/BII searchable by a personal identifier (e.g. name or Social Security number)?
X
Yes, the PII/BII is searchable by a personal identifier.
No, the PII/BII is not searchable by a personal identifier.
9.2
Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. §
552a. (A new system of records notice (SORN) is required if the system is not covered by
an existing SORN).
As per the Privacy Act of 1974, “the term ‘system of records’ means a group of any records under the control of any agency from which
information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned
to the individual.”
Yes, this system is covered by an existing system of records notice (SORN).
Provide the SORN name, number, and link. (list all that apply):
NOAA-6 SYSTEM NAME: “Fishermen's Statistical Data.” https://www.commerce.gov/node/4998
NOAA-19 SYSTEM NAME: “Permits and Registrations for United States Federally Regulated
Fisheries.” https://www.commerce.gov/node/4991
X
Yes, a SORN has been submitted to the Department for approval on (date).
No, this system is not a system of records and a SORN is not applicable.
Section 10: Retention of Information
10.1 Indicate whether these records are covered by an approved records control schedule and
monitored for compliance. (Check all that apply.)
X
X
There is an approved record control schedule.
Provide the name of the record control schedule:
NOAA1504.24, SEFSC Logbook – This covers the paper versions of the logbook forms.
No, there is not an approved record control schedule.
Provide the stage in which the project is in developing and submitting a records control schedule:
A records schedule for the electronic version of the logbook information has been submitted to NARA
for approval. Until scheduled, these electronic records are categorized as Permanent.
�Template Version Number:01-2021
X
Yes, retention is monitored for compliance to the schedule.
Scheduled records are monitored for compliance with the records schedule.
No, retention is not monitored for compliance to the schedule. Provide explanation
10.2 Indicate the disposal method of the PII/BII. (Check all that apply.)
Disposal
X
Shredding
Overwriting
Degaussing
Deleting
Other (specify): UAS resolution is not sufficient to identify any PII inadvertently collected.
X
Section 11: NIST Special Publication 800-122 PII Confidentiality Impact Level
11.1 Indicate the potential impact that could result to the subject individuals and/or the
organization if PII were inappropriately accessed, used, or disclosed. (The PII
Confidentiality Impact Level is not the same, and does not have to be the same, as the
Federal Information Processing Standards (FIPS) 199 security impact category.)
X
Low – the loss of confidentiality, integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.
Moderate – the loss of confidentiality, integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or individuals.
High – the loss of confidentiality, integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational assets, or individuals.
11.2 Indicate which factors were used to determine the above PII confidentiality impact level.
(Check all that apply.)
Identifiability
Provide explanation:
X
Quantity of PII
X
Data Field Sensitivity
X
Context of Use
X
Obligation to Protect Confidentiality
Provide explanation: The quantity is minimal. NOAA4400 does
not collect SSNs or EINs; however, the organization gathers some
minimum PII as captain’s names, addresses, and phone numbers.
Provide explanation: Sensitive PII such as SSN and sensitive BII
for fishermen is not collected by NOAA4400, neither sensitive data
for business.
Provide explanation: Permits information and fishers business data
is stored securely as described in Sections 8.1 and 8.2.
Administrative and Technological Controls are in place to protect
the minimum PII/BII the system collects.
Provide explanation: The Magnuson-Stevens Act authorizes
confidentiality of fisheries data.
�Template Version Number:01-2021
X
Access to and Location of PII
Other:
Provide explanation: System is not publicly accessible. Access to
PII/BII is controlled through access control lists, separation of
duties, and enforcement of least privilege access. We also limit the
number of authorized system users, providing initial and annual
system security training, monitoring authorized user activity;
through an automatic and immediate notification of unauthorized
system access or usage to the system administrator, documenting
user violations, and gradually increasing user reprimands for
system violations ranging from a verbal warning with refresher
security training to denial of system access.
Provide explanation:
Section 12: Analysis
12.1 Identify and evaluate any potential threats to privacy that exist in light of the information
collected or the sources from which the information is collected. Also, describe the
choices that the bureau/operating unit made with regard to the type or quantity of
information collected and the sources providing the information in order to prevent or
mitigate threats to privacy. (For example: If a decision was made to collect less data,
include a discussion of this decision; if it is necessary to obtain information from
sources other than the individual, explain why.)
No, the conduct of this PIA does not result in any required business process changes. Other than the
accidental release of confidential information, no other threats have been identified. NOAA4400
exclusively gathers what the councils decide we need to collect to support management, and this is
minimum PII/BII such as business name and address for mailing. This information is stored in an
Oracle Database and requires a username/password for access. Backups are encrypted. All online
entries (i.e., web applications) are reviewed to mitigate any security threats and have passed security
scanning (i.e., APEX SERT (Security Evaluation and Recommendation Tool)).
12.2 Indicate whether the conduct of this PIA results in any required business process changes.
Yes, the conduct of this PIA results in required business process changes.
Explanation:
X
No, the conduct of this PIA does not result in any required business process changes.
12.3 Indicate whether the conduct of this PIA results in any required technology changes.
Yes, the conduct of this PIA results in required technology changes.
Explanation:
X
No, the conduct of this PIA does not result in any required technology changes.
�Template Version Number:01-2021
Privacy Act Statement
Authority: The collection of this information is authorized under 50 C.F.R. 622.5 for the purpose of
managing the fisheries of the Caribbean, Gulf of Mexico, and South Atlantic in accordance with the
Atlantic Tunas Convention Act (16 U.S.C. 971 et. seq.) and the Magnuson-Stevens Fishery
Conservation and Management Act (16. U.S.C. 1801 et. seq.).
Purpose: The Department of Commerce (Department) is collecting this information to ensure
productive and sustainable fisheries, safe sources of seafood, recovery and conservation of protected
resources, and healthy ecosystems. The Fisheries Logbook System records the fishing and non-fishing
activity of fishermen who are required to report their fishing activity via logbooks submitted for each
trip.
Routine Uses: The Department will use this information to routinely monitor fisheries to ensure they
are sustainably managed. Disclosure of this information is also subject to all of the published routine
uses as identified in the Privacy Act System of Records Notice COMMERCE/NOAA-6, Fishermen's
Statistical Data and COMMERCE/NOAA-19, Permits and Registrations for United States Federally
Regulated Fisheries.
Disclosure: Furnishing this information is mandatory. The failure to report as required by a permit may
result in delays in permit renewals.
�Template Version Number:01-2021
Points of Contact and Signatures
Information System Security Officer or
System Owner
Information Technology Security Officer
Name: Richard A. Rasch
Office: NOAA4400
Phone: 850-583-4384
Email: Richard/Rasch@noaa.gov
Name: Luis O. Noguerol
Office: NOAA4400
Phone: 305-361-4464
Email: luis.noguerol@noaa.gov
I certify that the appropriate authorities and SORNs (if applicable) are
cited in this PIA.
I certify that the appropriate authorities and SORNs (if applicable) are
cited in this PIA.
Digitally signed by
Signature:
signed by
RASCH.RICHAR Digitally
RASCH.RICHARD.ANTHO
D.ANTHONY.1 NY.1179033433
Date: 2025.02.20 07:34:47
Date signed:
179033433
-09'00'
Signature:
Privacy Act Officer
Authorizing Official
Name:
Office:
Phone:
Email:
Name: Braydon Mikesell
Office: NOAA4400
Phone: 305-699-3108
Email: braydon.mikesell@noaa.gov
Robin Burress
NOAA OCIO
828-271-4695
Robin.Burress@noaa.gov
I certify that the appropriate authorities and SORNs (if applicable) are
cited in this PIA.
Signature:
Robin.Burress
2025.02.20
15:42:01 -05'00'
Date signed:
Bureau Chief Privacy Officer
Name:
Office:
Phone:
Email:
Mark Graff
NOCC OCIO
301-628-5658
Mark.Graff@noaa.gov
I certify that the appropriate authorities and SORNs (if applicable) are
cited in this PIA.
signed by
GRAFF.MARK. Digitally
GRAFF.MARK.HYRUM.1
HYRUM.15144 514447892
Date: 2025.02.20
16:17:14 -05'00'
Date signed: 47892
Signature:
NOGUEROL.LUIS NOGUEROL.LUIS.O
(IO).1505589439
.O
Date signed: (IO).1505589439 Date: 2025.02.19
11:19:40 -05'00'
I certify that the appropriate authorities and SORNs (if applicable) are
cited in this PIA.
signed by
MIKESELL.BRAYD Digitally
MIKESELL.BRAYDON.GLENN.1
ON.GLENN.12615 261513648
Date: 2025.02.20 11:55:05
-05'00'
Date signed: 13648
Signature:
�
| File Type | application/pdf |
| File Title | NOAA4400 PIA 2022-0119 CRB Updates.pdf |
| Author | Luis O. Noguerol |
| File Modified | 2025-02-20 |
| File Created | 2025-02-20 |