Download:
pdf |
pdfU.S. Department of Commerce
National Oceanic & Atmospheric Administration
Privacy Impact Assessment
for the
NOAA4600
Northwest Fisheries Science Center (NWFSC)
Reviewed by:
Mark Graff
Bureau Chief Privacy Officer
✔
☐
Concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
☐ Non-concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
GRAFF.MARK.HYRUM.1514447892
Digitally signed by GRAFF.MARK.HYRUM.1514447892
Date: 2025.02.05 08:34:42 -05'00'
Signature of Senior Agency Official for Privacy/DOC Chief Privacy Officer
Date
�Version Number: 01-2021
U.S. Department of Commerce Privacy Impact Assessment
NOAA/NMFS/Northwest Fisheries Science Center
Unique Project Identifier: NOAA4600
Introduction: System Description
Provide a brief description of the information system.
NOAA4600 supports the mission of the Northwest Fisheries Science Center (NWFSC). The
NWFSC’s research effort is organized around four major themes. The NWFSC incorporates
climate research into each of these themes to improve understanding of the effects of climate on
ecosystems. In addition, each theme also integrates social science research that seeks to better
understand the human values, actions, communities and institutions that influence marine and
anadromous fish, marine mammals, and other species and ecosystems in the Pacific Northwest.
1. Sustainable, Safe and Secure Seafood for Healthy Populations and Vibrant Communities
2. Ecosystem Approach to Improve Management of Marine Resources
3. Recovery and Rebuilding of Marine and Coastal Species
4. Habitats to Support Sustainable Fisheries and Recovered Populations
Address the following elements:
(a) Whether it is a general support system, major application, or other type of system
NOAA4600 is a General Support System that supports the mission of the Northwest
Fisheries Science Center (NWFSC).
(b) System location
NOAA4600 is located throughout the Pacific Northwest with offices in:
•
Seattle, Washington
•
Newport, Oregon
•
Port Orchard, Washington
•
Hammond, Oregon
•
Pasco, Washington
2
�Version Number: 01-2021
(c) Whether it is a standalone system or interconnects with other systems (identifying and
describing any other systems to which it interconnects)
NOAA4600 interconnects with other systems inside and outside of the NMFS internal network.
Monterrey Bay Aquarium Research Institute (MBARI) - Used to connect the NWFSC
guest network to an Environmental Sample Processor (ESP) device use for detecting
Harmful Algal Blooms.
NOAA4000 - Fisheries WAN and Enterprise Services & Vessel Monitoring System
(vTRACK) - Used for wide-area network (WAN) connectivity to NMFS related assets managed
at the headquarters including Office of Law Enforcement VMS and declaration data.
NOAA4200 - Northeast Fisheries Science Center (NEFSC) Network - Used to
allow NEFSC access to the SEDNA Bioinformatics Cluster hosted at the NWFSC
NOAA4800 - Alaska Fisheries Science Center (AKFSC) Network - Used to access the North
Pacific (NORPAC) groundfish and halibut observer data
NOAA4930 - Southwest Fisheries Science Center (SWFSC) Network - Used to allow
SWFSC access to a NWFSC file share by static IP addresses and access the SEDNA
Bioinformatics Cluster hosted at the NWFSC
NOAA4960 – Pacific Islands Fisheries Science Center (PIFSC) Network - Used
to allow PIFSC access to the SEDNA Bioinformatics Cluster hosted at the NWFSC
NOAA0201 - Web Operations Center (WOC) Network - Used to access NWFSC
data and resources hosted at the WOC
NOAA0550 – N-Wave Network - Used for managed LAN services at the Hollings
Marine Lab in Charleston, South Carolina
*NOAA0100 - NOAA Cyber Security Center (H) - Used for security monitoring
of the NWFSC Information System
*This is not a new interconnection, it was just recently documented by NOAA0100. This does
not create any privacy posture changes to NOAA4600.
(d) The way the system operates to achieve the purpose(s) identified in Section 4
Utilizing applications, web services, and database-to-database connections; NWFSC scientists
are able to analyze data and extrapolate new scientific models sharing their findings with the
scientific community.
(e) How information in the system is retrieved by the user
The Observer Production (OBSPROD) and Observer Logistic (OBSLOG) systems have a web
interface that allows a user to access remotely. In order for the user to access any of the data,
they must enter a previously supplied userid and password combination into the web
application. Once authenticated, the user can selectively navigate the system to retrieve
information. Most users access both systems using the web interface, there are West Coast
3
�Version Number: 01-2021
Groundfish Observer Program (WCGOP) staff that access both databases directly using SQL
Developer/SQL Plus to query non-aggregated and sensitive data. Users with direct access
query data to fill data requests and for analysis purposes. In-season Catch Share specific data is
disseminated daily to the Vessel Account System in the Individual Fishing Quota (IFQ)
database for in-season quota management. Electronic Monitoring (EM) recorded video footage
is retrieved from internal file shares and analyzed with specialized
software.
The Economic Data Collection (EDC) Program staff logs into a web application that allows a
user to log receipts of EDC forms, log communications with participants, and edit data as
necessary. Aside accessing the data through the web application, each member of the EDC staff
has also been given a production database account that they may use to perform additional
analysis directly against the raw economic data stored in the database. They access the database
account using either the Rstudio client or the approved client for the database platform it is
stored in.
Most access to the Permits Program is provided to authenticated application users, who access
the data through custom built web applications and data access is determined by their
application role. All individuals who are granted access to the data sign a non-disclosure
agreement on an annual basis. All NOAA users authenticate through a NOAA managed LDAP
server, while state partners have a unique username and password that is managed by the
NWFSC Scientific Data Management (SDM) Team. There are also 2 authenticated web
services. The first provides IFQ landing reports based on IFQ account authentication and the
second provides the association of Permits to IFQ Vessel Accounts to the Pacific States Marine
Fisheries Commission (PSMFC) through a unique authenticated user account. System owners
can connect directly to the database schemas to validate and query data, and deploy new
applications and custom database procedures. There are also NOAA staff that have read access
to several database views, through named user access. Finally, some non- confidential
information that is made available to the public through public reports on the Permits and IFQ
applications.
Office of Law Enforcement (OLE) Vessel Monitoring System (VMS) data is accessible with a
production database account that is utilized to perform analysis by aggregating data from
various sources. They access the database account using either the Rstudio client or the
approved client for the database platform it is stored in. Declarations data is accessible through
two separate authenticated web applications.
A cloud service is being utilized at NOAA0201 to act as an intermediary for data collection from
the field and transportation to NOAA4600. The objective is to utilize a technology that allows
for data syncing with different technologies. Ultimately the data is transported to NOAA4600
where it is processed and stored.
The Authorizations and Permits for Protected Species (APPS) application is a web based
4
�Version Number: 01-2021
system that contains applications for permits required by the Marine Mammal Protection Act
(MMPA) and the Endangered Species Act (ESA). Researchers use the system to submit an
application which contain PII (employment and education information) prior to receiving a
scientific research permit. Information collected is not shared publicly. NOAA Fisheries
protects PII stored in APPS by minimizing the use and collection of PII. NOAA Fisheries also
protects PII stored in APPS by controlling access to the information. APPS requires users to
authenticate their identity by entering a username and password.
The Pacific Halibut Permitting application is a web based system that is accessed through
username and password. Permit holders can access their information while federal employees
and contractors can access all permit information contained within the system.
(f) How information is transmitted to and from the system
All web applications utilize Secure Sockets Layer (SSL) certificates or the Transport Layer
Security (TLS) 2.0 standard for all data encryption where appropriate.
(g) Any information sharing
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG)
A portion of the system does reside in the NORPAC database maintained at the Alaska
Fisheries Science Center. The At-Sea Hake Observer Program (A-SHOP) data is selectively
downloaded nightly from the database at AFSC into the database managed locally at NWFSC.
Direct access is not very prevalent for the sharing of Observer data as groups at the Northwest
Fisheries Science Center and Office of Law enforcement are the only federal entities that can
access the data directly. Personnel in the Fishery Resource Analysis and Monitoring Division,
Scientific Data Management Group, and Genetics division are given direct access to locations,
catch, biological, and protected resource data for analysis and in-season management. Certain
personnel from the Office of Law Enforcement are also given direct access to Observer
reported safety incidents and violations along with fishery-dependent catch data that includes
locations.
Most of the Observer data shared to others is through different reoccurring batch/bulk
transfers. Certain scientists at the Northwest Fisheries Science Center, aside from the staff
identified as ones with direct access, are given subsets of the data including locations, catch,
biological and protected resources. The NMFS West Coast Regional office receives annual
analysis reports including locations, catch, biological, and protected resource data. Both the
SW Fisheries Science Center and the National Marine Mammal Lab receive annual reports of
protected species data that includes locations and vessel specific data. In terms of State, local,
and tribal gov’t agencies, there are three high-level groups that receive annual data from the
Observer program. The California Department of Fish and Wildlife, Oregon Department of
Fish and Wildlife, and Washington State Department of Fish and Wildlife also receives fishery
dependent-data that includes locations, catch, biological, and protected resource data. The
Pacific States Marine Fisheries Commission and the Pacific Fishery Management Council both
are given confidential reports of fishery dependent-data that includes locations, catch,
biological, and protected resource data as defined under the Magnuson Stevens Act (MSA).
5
�Version Number: 01-2021
On occasion, groups have asked the Observer program for one-time subsets of the trip or catch
data. These groups range from groups that already have access to observer data but needs
something that they are not regularly given or entities that do not normally have access but need
a subset of data to finish their task. The Office of Law Enforcement has certain personnel that
require catch data for specific cases they are investigating so custom data is generated for them.
The National Ocean Services on request are given Fishery dependent-data that included fishing
locations and catch related data to inform aquaculture management. Various Native American
Tribes that are part of the Pacific Fishery Management Council are given Fishery dependentdata that included fishing locations, catch, and biological related data to inform fisheries
management when requested. The Observer program also provides information to the private
sector although there is higher burden concerning proof of need due to the sensitivity of the data.
Observer providers and contractors request Fisheries observer performance evaluations. Various
members of the fishing industry (i.e., vessel owner or captain) request vessel specific fisherydependent-data that includes locations, catch, biological, and protected resource data. Nongovernmental Organizations at times request protected species data (Marine Mammals, Birds,
etc.) that includes interaction locations and vessel specific data. Finally, Education institutions
and students request fishery dependent-data that includes locations, catch, biological, and
protected resource data.
A cloud service is being utilized at NOAA0201 to act as an intermediary for data collection from
the field and transportation to NOAA4600. The objective is to utilize a technology that allows
for data syncing with different technologies. Ultimately the data is transported to NOAA4600
where it is processed and stored.
Economic Data Collection (EDC)
The Economic Data Collection program receives its data from various entities. The program
requests data on costs, revenue, ownership, and employment and this information is used to
study the economic impacts of the West Coast Trawl Groundfish Catch Share Program on
affected harvesters, processors, and communities, as well as net benefits to the nation. Pacific
States Fisheries Center also shares various catch share data that has been collected from
various states. Finally, the West Coast Groundfish Permits Program shares permit and quota
data that is tied into the economic data.
The sharing of the EDC data is very limited, which is broken up between the select few that
have direct access to all economic data for research and management support purposes, and the
case-by- case approvals for subsets of data used to answer specific fishery management
questions. Users with direct access are Economists (federal staff + contractors) within the
Fishery Resource Analysis and Monitoring (FRAM) division, IT, and NWFSC Software Data
Management Team. Users with case- by-case access have been West Coast Region
economists, Pacific Fishery Management Council staff and contractors, Academic researchers
under contract with NWFSC Economists to conduct specific analyses, and economists in the
Columbia Basin group request EDC data to answer specific fishery management and research
questions.
6
�Version Number: 01-2021
West Coast Groundfish Permits Program
Any PII/BII is stored in the database system and access is only provided to authorized
users. All information is entered directly by WCR permit’s staff. Non confidential
information is made available to the public through public reports on the Permits
application.
The primary group of users and the only group that can edit data, includes named NOAA users
within the West Coast Regional (WCR) Permits Office who have read and write access through
a web application. These users can modify PII and BII data including tax identification
numbers, birth dates, contact information, and the ownership interest structure of permit
owners and IFQ Account owners. These users can also view IFQ vessel account and quota
share account information, including quota pound and quota share balances, landing and
discard information and deficits, and as well as quota pound and quota share transfer details.
There are also application users and named database users within the Economic Data
Collection (EDC) program at the NWC, who have read only access to ownership information,
quota pound and quota share transfers, and landing and discard data through role based access
to a web application. Federal SDM team members can connect directly to the database schemas
to validate and query data, and deploy new applications and custom database procedures.
Certain personnel in the NOAA West Coast Office of Law Enforcement as well State Law
Enforcement agencies who have read only access to data reports through role based access to a
web application, that allow them to track when a vessel account goes into deficit and to monitor
the status of the deficit. They are also provided access to landing and discard amounts at the trip
level, but not fishing locations. These users do not have access to ownership information or
other PII or BII.
State level access are provided using two methods of direct access. An authenticated web
service provides the association of Limited Entry Permits to Vessels fishing in the IFQ fishery.
This information is provided to the Pacific States Marine Fisheries Commission to assign IFQ
vessel account identification numbers to fish ticket landings information submitted by
processors and catch monitors. When the IFQ system processes landing data, this vessel
account identification number is used to debit quota pounds from vessel accounts. Certain
personnel in the State Law Enforcement agencies also have read only access to data reports
through role based access to a web application, that allow them to track when a vessel account
goes into deficit and to monitor the status of the deficit. They are also provided access to
landing and discard amounts at the trip level, but not fishing locations. These users do not have
access to ownership information or other PII or BII.
Depending on the type of data, there are various levels of direct access given to the private
sector. The first are Limited Entry Permit owners who have access to submit permit renewals,
monitor the status of their renewal, and print Permit certificates through an authenticated web
application. These users are provided an access token that grants access only to permits that
they own. The second group of private sector users are IFQ Vessel and Quota Share Account
owners who access their accounts through an authenticated web application. This application
allows account owners to check Quota Pound and/or Quota Share balances, landing and
discard information, and complete Quota Pound and/or Quota Share transfers. Finally, an
authenticated web service provides IFQ landing reports based on IFQ account authentication.
This web service is available to all IFQ vessel account owners and is typically used by
managers who are hired by IFQ vessel account owners to manage their quota pound balances.
7
�Version Number: 01-2021
The web service requires the IFQ account user id and password to be authenticated.
There are also some non-confidential information that is made available to the public through
public reports on the Permits and IFQ applications. The public has access to permit data such
as the owner of the permit and the vessel that the permit is currently registered to. This
includes address information for both parties, permit endorsements and vessel length. The
public has access to IFQ sector limit allocations, carryover allocations, and catch to date at the
species level. In terms of Quota Share data, the public has access to the owner name and quota
share percentages and quota pound allocations at the species level. In terms of Vessel data, the
public has access to the owner name and quota pound balances (but does not show deficit) and
the remaining limit of quota pounds that can be transferred into the account. The public also
has access to the average price per pound by species for species where there is enough data
available to determine the calculation without divulging who made the transfers.
On occasion the WCR Permits Office may require custom reports which are specific subsets of
permit and vessel data that are generated by the NWC SDM Team and shared through a secure
file share. There was also one case-by-case instance where access to ownership interest
information (our most sensitive data) had been granted to a Fisheries Council member who
works for the Washington Department of Fish and Wildlife. This person had signed an NDA
and data was shared through a secure file share. It is possible that this request might change to
an annual request as this information may change over time.
In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act,
these records or information contained therein may specifically be disclosed outside the
Department of Commerce (Department). These records or information contained therein may
specifically be disclosed as a routine use. The Department will, when so authorized, make the
determination as to the relevancy of a record prior to its decision to disclose a document.
Office of Law Enforcement (OLE) Vessel Monitoring System (VMS)
Vessel Monitoring System (VMS) data is split into two categories: vessel tracking and
declarations. Vessel tracking data is copied from the Office of Law Enforcement and stored
within the information system for local analysis by NWFSC staff. Vessel tracking is not shared
publicly and requires authenticated access by NWFSC staff. Declarations data is stored and
utilized by two separate authenticated web applications. The Boatnet application provides a
secure web application for fishers to electronically record their declarations independently.
This application is provided in conjunction with the existing Declarations service that Office
of Law Enforcement (OLE) Vessel Monitoring System (VMS) technicians provide. It provides
the entry point for declarations that reside in the VMS system and receives that information
back from the VMS system for review and access by NOAA staff and the fishers that hold
accounts.
Authorization and Permits for Protected Species (APPS)
Authorizations and Permits for Protected Species (APPS) verifies that the individual has the
8
�Version Number: 01-2021
necessary qualifications to conduct research on protected species. The PII/BII collected by the
IT system is from federal and state employees, members of the public, and employees/members
of Tribal Nations. Applicants provide a curriculum vitae or resume documenting their academic
and/or work related experience with the methods and procedures they plan to use on protected
species.
Pacific Halibut Permitting
Pacific Halibut Permitting issues permits for the Pacific halibut commercial and recreational
charter halibut fisheries in International Pacific Halibut Commission (IPHC) regulatory Area 2A
(Washington, Oregon, and California).
(h) The specific programmatic authorities (statutes or Executive Orders) for collecting,
maintaining, using, and disseminating the information
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG)
This application follows the Magnuson Stevens Fishery Conservation and Management Act
(MSA), Marine Mammal Protection Act, Endangered Species Act, and 50 CFR 660.16
Groundfish observer program.
Economic Data Collection (EDC) Database
EDC program is mandatory under the regulation 50 CFR 660.114. It also follows the
Magnuson Stevens Fishery Conservation and Management Act (MSA), 50 CFR 660.114, and
the Trawl fishery - economic data collection program regulations.
West Coast Groundfish Permits Program
Applications for permits and registrations are collected from individuals under the authority of
the Magnuson-Stevens Fishery Conservation and Management Act, the High Seas Fishing
Compliance Act, the American Fisheries Act, the Tuna Conventions Act of 1950, the Atlantic
Coastal Fisheries Cooperative Management Act, the Atlantic Tunas Convention Authorization
Act, the Northern Pacific Halibut Act, the Antarctic Marine Living Resources Convention Act,
the Western and Central Pacific Fisheries Convention Implementation Act (WCPFCIA; 16
U.S.C. 6901 et seq), international fisheries regulations regarding U.S. Vessels Fishing in
Colombian Treaty Waters, the Marine Mammal Protection Act, the Endangered Species Act
and the Fur Seal Act. The authority for the mandatory collection of the Tax Identification
Number is 31 U.S.C. 7701.
Office of Law Enforcement (OLE) Vessel Monitoring System (VMS)
The overall authority for federal fishery management is the Magnuson-Stevens Conservation
and Management Act (16 U.S. Code 1801 et. seq.)
Authorization and Permits for Protected Species (APPS)
9
�Version Number: 01-2021
Authorities include the Marine Mammal Protection Act, 16 U.S.C. 1361 et seq. The Fur Seal
Act, 16 U.S.C. 1151 et seq. The Endangered Species Act, 16 U.S.C 1531 et seq.
Pacific Halibut Permitting
Authorities include the Magnuson-Stevens Fishery Conservation and Management Act (16
U.S.C 1801 et seq.), the Northern Pacific Halibut Act of 1982, the implementing regulations at
50 CFR Part 300, and the Debt Collection Act (31 U.S.C. 7701).
(i) The Federal Information Processing Standards (FIPS) 199 security impact category for the
system
NOAA4600 System Security Categorization is Moderate
Confidentiality = Moderate
Integrity = Moderate
Availability = Moderate
10
�Version Number: 01-2021
Section 1: Status of the Information System
1.1
Indicate whether the information system is a new or existing system.
This is a new information system.
This is an existing information system with changes that create new privacy risks.
(Check all that apply.)
Changes That Create New Privacy Risks (CTCNPR)
a. Conversions
d. Significant Merging
b. Anonymous to Non- Anonymous
e. New Public Access
c. Significant System
f. Commercial Sources
Management Changes
j. Other changes that create new privacy risks (specify):
g. New Interagency Uses
h. Internal Flow or
Collection
i. Alteration in Character
of Data
This is an existing information system in which changes do not create new privacy
risks, and there is not a SAOP approved Privacy Impact Assessment.
X
This is an existing information system in which changes do not create new privacy
risks, and there is a SAOP approved Privacy Impact Assessment.
Section 2: Information in the System
2.1
Indicate what personally identifiable information (PII)/business identifiable information
(BII) is collected, maintained, or disseminated. (Check all that apply.)
Identifying Numbers (IN)
X
a. Social Security*
f. Driver’s License
j. Financial Account
X
X**
b. Taxpayer ID
g. Passport
k. Financial Transaction
c. Employer ID
h. Alien Registration
l. Vehicle Identifier
d. Employee ID
i. Credit Card
m. Medical Record
e. File/Case ID
n. Other identifying numbers (specify):
Captain’s license, State and Federal Dealer Numbers (if applicable), permit or license numbers for Federal or state
permit/licenses issued and start and end dates and other permit status codes, vessel name and registration number
** West Coast Groundfish Permits: check number, date and amount, for permit fees
*Explanation for the business need to collect, maintain, or disseminate the Social Security number, including
truncated form:
Social Security Number is collected in connection with the Pacific Halibut Permitting process. Individuals are
verified as having no active sanctions that would preclude them from receiving a permit.
11
�Version Number: 01-2021
General Personal Data (GPD)
X*
X
a. Name
h. Date of Birth
o. Financial Information
X
b. Maiden Name
i. Place of Birth
p. Medical Information
X
c. Alias
j. Home Address
q. Military Service
X
X
d. Gender
k. Telephone Number
r. Criminal Record
X
X
e. Age
l. Email Address
s. Marital Status
X
f. Race/Ethnicity
m. Education
t. Mother’s Maiden Name
g. Citizenship
n. Religion
u. Other general personal data (specify):
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG): Observers’ emergency
contact information (whom to contact in case of observer emergency).
Economic Data Collection (EDC): costs, revenue, ownership, and employment.
West Coast Groundfish Permits: *Permit applicant, permit holder, permit transferor/transferee, vessel owner,
vessel operator, dealer applicant, dealer permit holder. Name of corporation, state and date of incorporation of
business and articles of incorporation, marriage certificate, divorce decree, death certificate.
Date of Birth is collected for identification purposes by West Coast Groundfish Observer Program (WCGOP),
Observer Logistics (OBSLOG), West Coast Groundfish Permits Program, Pacific Halibut Permitting.
Work-Related Data (WRD)
a. Occupation
X
e. Work Email Address
X
i.
b.
Job Title
X
f.
X
j.
c.
Work Address
X
g. Work History
X
d.
Work Telephone
Number
X
h. Employment
Performance Ratings or
other Performance
Information
X
Salary
Business Associates
X
Proprietary or Business
Information
k. Procurement/contracting
records
X
X
l. Other work-related data (specify):
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG): observer deployments,
official observer statements (also called incident reports, affidavits). Sometimes when an observer witnesses a
potential violation, OLE requests them to fill out a statement regarding the event; vessel length and type; vessel
safety checklist, work related Performance (Training, Scores, Evaluations).
Economic Data Collection (EDC): costs, revenue, ownership, and employment.
West Coast Groundfish Permits: vessel name, vessel length overall.
Office of Law Enforcement (OLE) Vessel Monitoring System (VMS): vessel location, type of gear being used.
Distinguishing Features/Biometrics (DFB)
a. Fingerprints
f. Scars, Marks, Tattoos
k. Signatures
b. Palm Prints
g. Hair Color
l. Vascular Scans
X
c. Voice/Audio Recording
h. Eye Color
m. DNA Sample or Profile
X
d. Video Recording
i. Height
n. Retina/Iris Scans
X
e. Photographs
j. Weight
o. Dental Profile
p. Other distinguishing features/biometrics (specify):
Video Recordings include Electronic Monitoring of at fishing vessels, virtual meetings recorded by NOAA4600,
and security surveillance footage. Voice/Audio Recordings include virtual meetings recorded by NOAA4600.
12
�Version Number: 01-2021
Photographs include WCGOP Observers and NOAA4600 staff.
System Administration/Audit Data (SAAD)
X
a. User ID
c. Date/Time of Access
X
b. IP Address
f. Queries Run
g. Other system administration/audit data (specify):
X
X
e. ID Files Accessed
f. Contents of Files
Other Information (specify)
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG): vessel characteristics
information (name, USCG #, # of crew, captain name), fishing effort information (fishing locations, gear used,
depth, etc.), catch information (species caught, retained and discard, species compositions), biological data
(otoliths, lengths, tissue samples) and protected species information (takes, injuries, sightings, samples, specimen
collection).
Economic Data Collection (EDC): species catch information.
West Coast Groundfish Permits: Species, aggregate catch data and statistics, quota share balance, quota pound
balance, quota pound limits, listings of endorsements and designations (i.e., gear endorsement, size endorsement,
sector endorsement, permit tier) associated with the permit, name of physical IFQ landing site, Exemptions (i.e.,
Owner on Board - Grandfathered Exemption, Owner on Board, as stated in code of federal regulations) and
exemption status, contact persons. Catch/Observer Discard Data, Quota Share/Quota Pound Transfer Data,
Business Operation Information (Business Processes, Procedures, Physical Maps).
2.2
Indicate sources of the PII/BII in the system. (Check all that apply.)
Directly from Individual about Whom the Information Pertains
X
In Person
Hard Copy: Mail/Fax
X
Telephone
Email
Other (specify):
Government Sources
Within the Bureau
State, Local, Tribal
Other (specify):
X
X
Other DOC Bureaus
Foreign
Non-government Sources
Public Organizations
Private Sector
Third Party Website or Application
Other (specify):
*State or Regional Marine Fisheries Commission’s Data.
2.3
X
X
Online
X
X
Other Federal Agencies
X
X*
Commercial Data Brokers
Describe how the accuracy of the information in the system is ensured.
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG): Data is
entered by Observer personnel and is run through nearly 300 rigorous trip error checks to ensure the
13
�Version Number: 01-2021
validity of the data. All data is also reviewed by Observer debriefing personnel to ensure the accuracy
and validity of the data.
Economic Data Collection (EDC): Data is either entered directly by commercial fishermen or doublekey entered by EDC staff members to ensure accuracy. All data is reviewed during a quality control
process by EDC staff, during which time EDC staff address potential inaccuracies by working directly
with the commercial fishermen to confirm data entries.
West Coast Groundfish Permits Program: Historic data that was migrated into the PERMITS database
managed by NWFSC, has been validated with the WCR Permits Office. With that said there are still a
few outliers of historic data that was not migrated correctly. This information of historic permit records
has not been deemed critical and due to the manual work involved to correct this data, it has not yet
been corrected. Historic data records are or will be manually corrected. Since the NWFSC has managed
this database, all data is validated by the WCR Permits Office. This includes creating new Permits for a
new year and any permit ownership or vessel registration transfers and vessel ownership transfers.
2.4
Is the information covered by the Paperwork Reduction Act?
X
Yes, the information is covered by the Paperwork Reduction Act.
Provide the OMB control number and the agency number for the collection.
IFQ: 0648-0620
EDC: 0648-0618
Observer: 0648-0593, 0648-0606, 0648-0749
APPS: 0648-0084, 0648-0402, 0648-0399, 0648-0151, 0648-0230
Pacific Halibut Permitting: 0648-0203
No, the information is not covered by the Paperwork Reduction Act.
Indicate the technologies used that contain PII/BII in ways that have not been previously
deployed. (Check all that apply.)
2.5
Technologies Used Containing PII/BII Not Previously Deployed (TUCPBNPD)
Smart Cards
Biometrics
Caller-ID
Personal Identity Verification (PIV) Cards
Other (specify):
X
There are not any technologies used that contain PII/BII in ways that have not been previously deployed.
Section 3: System Supported Activities
3.1
Indicate IT system supported activities which raise privacy risks/concerns. (Check all that
apply.)
Activities
Audio recordings
X
14
Building entry readers
X
�Version Number: 01-2021
Video surveillance
Other (specify):
X
Electronic purchase transactions
There are not any IT system supported activities which raise privacy risks/concerns.
Section 4: Purpose of the System
4.1
Indicate why the PII/BII in the IT system is being collected, maintained, or disseminated.
(Check all that apply.)
Purpose
For a Computer Matching Program
For administering human resources programs
X
For administrative matters
To promote information sharing initiatives
X
For litigation
For criminal law enforcement activities
X
For civil enforcement activities
For intelligence activities
To improve Federal services online
For employee or customer satisfaction
X
For web measurement and customization
For web measurement and customization
technologies (single-session)
technologies (multi-session)
Other (specify):
NOAA0201 provides a cloud service which acts as an intermediary for data collection from the field and
transportation to NOAA4600.
X
Information is disseminated to state enforcement entities.
Section 5: Use of the Information
5.1
In the context of functional areas (business processes, missions, operations, etc.) supported
by the IT system, describe how the PII/BII that is collected, maintained, or disseminated
will be used. Indicate if the PII/BII identified in Section 2.1 of this document is in
reference to a federal employee/contractor, member of the public, foreign national, visitor
or other (specify).
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG)
•
•
WCGOP Database: Information collected from vessels is used in fisheries management and
stock assessments. Information collected by observers, including statements of fact from vessels
in the fishery may also be used by law enforcement to investigate and prosecute potential
violations or criminal activity. Information collected is from members of the public.
OBSLOG: Information collected is used to determine eligibility of applicants wishing to be
trained as a federal fishery observer. There are educational and other requirements specified in
the federal register that must be met for a person to be eligible. OBSLOG also serves as the
access point to OLE and USCG to view statements of fact and other incidents. Statements of
fact are stored in the WCGOP database, but are viewable in OBSLOG via a database link.
Information collected is from members of the public.
15
�Version Number: 01-2021
Economic Data Collection (EDC)
EDC requests data on costs, revenue, ownership, and employment and this information is used to study
the economic impacts of the West Coast Trawl Groundfish Catch Share Program on affected harvesters,
processors, and communities, as well as net benefits to the nation. Information is collected so that EDC
economists may evaluate the Catch Share Program. Aggregated data and analyses are compiled into a
report and presented to the Pacific Fishery Management Council.
Additional economic analyses may be conducted by other NMSF staff. Information collected is from
members of the public.
West Coast Groundfish Permits Program
This information will allow NMFS to identify owners and holders of permits and non-permit
registrations and vessel owners and operators, evaluate permit applications, and document agency
actions relating to the issuance, renewal, transfer, revocation, suspension or modification of a permit or
registration. Tax Identification Numbers allow positive identification for cost recovery billing of IFQ
holders.
Office of Law Enforcement (OLE) Vessel Monitoring System (VMS)
The declaration information is used to ensure compliance with regional and federal fishing regulations.
The data is also utilized to analyze fishing activity in relation to whale and turtle entanglements on the
West coast. The data is joined with other data sources with a goal of identifying methods for reducing
whale and turtle entanglements off the West Coast.
5.2
Describe any potential threats to privacy, such as insider threat, as a result of the
bureau’s/operating unit’s use of the information, and controls that the
bureau/operating unit has put into place to ensure that the information is handled,
retained, and disposed appropriately. (For example: mandatory training for
system users regarding appropriate handling of information, automatic purging of
information in accordance with the retention schedule, etc.)
Both external threats and insider threats pose a potential threat to privacy of the information stored.
Additionally, any process or person that would disclose NOAA4600 data in an unauthorized or negligent
manner are considered a threat. NOAA4600 implements various controls to protect the unauthorized
disclosure of information including:
•
•
•
•
•
•
Implementation of security standards on IT equipment which the data is stored
Annual IT Security Training
Non-disclosure agreements
Enforcement of least privilege
Utilization of encryption
Sanitization of media
16
�Version Number: 01-2021
Section 6: Information Sharing and Access
Indicate with whom the bureau intends to share the PII/BII in the IT system and how the
PII/BII will be shared. (Check all that apply.)
6.1
Recipient
Case-by-Case
Within the bureau
DOC bureaus
Federal agencies
State, local, tribal gov’t agencies
Public
Private sector
Foreign governments
Foreign entities
Other (specify): *access is restricted to their own PII/BII.
X
X
X
X
X*
How Information will be Shared
Bulk Transfer
Direct Access
X
X
X
X
X
X
The PII/BII in the system will not be shared.
6.2
Does the DOC bureau/operating unit place a limitation on re-dissemination of PII/BII
shared with external agencies/entities?
X
Yes, the external agency/entity is required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the external agency/entity is not required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the bureau/operating unit does not share PII/BII with external agencies/entities.
6.3
Indicate whether the IT system connects with or receives information from any other IT
systems authorized to process PII and/or BII.
X
Yes, this IT system connects with or receives information from another IT system(s) authorized to
process PII and/or BII.
Provide the name of the IT system and describe the technical controls which prevent PII/BII leakage:
NOAA4000 - Fisheries WAN and Enterprise Services & Vessel Monitoring System (vTRACK)
NOAA4200 - Northeast Fisheries Science Center (NEFSC) Network
NOAA4800 - Alaska Fisheries Science Center (AKFSC) Network
NOAA4930 - Southwest Fisheries Science Center (SWFSC) Network
NOAA4960 – Pacific Islands Fisheries Science Center (PIFSC) Network
NOAA0201 - Web Operations Center (WOC) Network
NOAA0550 – N-Wave Network
NOAA0100 - NOAA Cyber Security Center (H)
NOAA4600 also has a connection with an non-FISMA system, the Monterrey Bay Aquarium Research
Institute (MBARI)
Traffic with other FISMA systems is routed over an enterprise WAN connection and additional firewall
access control levels limit the connection to specific resources and ports. Secure database connections
(when a database connection is utilized) and appropriate access control levels on named database accounts
17
�Version Number: 01-2021
are utilized.
No, this IT system does not connect with or receive information from another IT system(s) authorized to
process PII and/or BII.
18
�Version Number: 01-2021
Identify the class of users who will have access to the IT system and the PII/BII. (Check
all that apply.)
6.4
Class of Users
X
X
General Public
Government Employees
X
Contractors
Other (specify):
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG): Members of the
General Public who have a demonstrated need and have signed a Non-Disclosure Agreement are granted access to
data via the FRAM data warehouse. Data sharing agreements may also be used for valid collaborators for research
purposes.
Economic Data Collection (EDC): Members of the General Public who have a demonstrated need and have signed
a Non-Disclosure Agreement are granted access to data via the FRAM data warehouse.
Section 7: Notice and Consent
Indicate whether individuals will be notified if their PII/BII is collected, maintained, or
disseminated by the system. (Check all that apply.)
7.1
X
X
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and
discussed in Section 9.
Yes, notice is provided by a Privacy Act statement and/or privacy policy. The Privacy Act statement
and/or privacy policy can be found at:
West Coast Groundfish Observer Program (WCGOP)
https://nwcoa3.nwfsc.noaa.gov/obsprod/logon.display
(Displays a pop-up that requires Internet Explorer or Firefox to access the app and statement)
Observer Logistics (OBSLOG)
https://www.webapps.nwfsc.noaa.gov/apex/ifq/f?p=505:28
Economic Data Collection (EDC)
https://www.webapps.nwfsc.noaa.gov/edc/PrivacyAct
West Coast Groundfish Individual Fishing Quote (IFQ)
https://www.webapps.nwfsc.noaa.gov/ifq
(Scroll to the bottom and click “IFQ Privacy Act Statement to open the pop-up window. The
Statement is also available when user clicks the "Log In" button)
West Coast Groundfish Permits:
https://www.webapps.nwfsc.noaa.gov/apex/ifq/f?p=112:88::POP:NO:::
Pacific Halibut Permitting
https://www.webapps.nwfsc.noaa.gov/apex/ifq/f?p=120
(The statement is provided to an authenticated user prior to form submission)
X
.
Yes, notice is provided by other means.
Specify how:
WCGOP and OBSLOG Observation Information: Vessel
captains/owners receive letters from the permit office explaining
the requirements when they apply for permits or individual
19
�Version Number: 01-2021
fishing quota accounts.
OBSLOG Observer Application: Those submitting the
information are informed on the observer provider company’s
application that it is a requirement for participating in the
program.
EDC: Notification is provided on the economic data survey
instrument.
West Coast Groundfish Permits: Notice is provided on the
permit or related application.
X
7.2
No, notice is not provided.
NOAA4600 System Maintenance Information: Information
collected for employee/contractor emergency contact, and
disaster recovery/continuity of operations is requested in
writing. Information collected for account management is
requested in writing or via email by the user’s supervisor, at the
time that the user requests an account on the information system
Specify why not:
In some cases notice is not provided during direct interactions
involving WCGOP Observers and vessels.
Indicate whether and how individuals have an opportunity to decline to provide PII/BII.
X
Yes, individuals have an opportunity to
decline to provide PII/BII.
Specify how:
WCGOP and OBSLOG Observation Information: Vessel
captains/owners may decline to provide PII/BII in writing to
observers or observer program staff, but participation in a
fishery requires consent to carry an observer when directed to by
the agency and to provide information requested by the
observer. If the individual declines, the vessel will be fishing out
of compliance with the regulations and would be in violation.
OBSLOG Observer Application: Observer applicants may
decline to provide the information by not completing the
application, but they would be denied entry into the program.
Eligibility to perform the duties of a federal fishery observer
cannot be determined without providing PII.
EDC: The respondent may decline by not completing and
submitting the required EDC form, but that may delay the
completion of administrative actions such as permit renewal,
vessel registration, license issuance, and quota transfers.
Economic data collection is mandatory under the Catch Share
Program, and thus participation in the EDC program is
mandatory under the regulation 50 CFR 660.114.
West Coast Groundfish Permits: The personal information is
collected when the individual completes the appropriate
application. On application, the individual is advised that
providing the information is voluntary, but that NMFS will not
be able to issue a permit if the individual does not provide each
item of information requested. The individual may choose to
decline to provide the required personal information or to
20
�Version Number: 01-2021
consent to the particular use of their personal information at that
time.
APPS: The Endangered Species Act and Marine Mammal
Protection Act require the applicant provide evidence of their
qualifications. The individual would decline to provide PII/BII
by not submitting information on their qualifications, and thus
application would be denied.
Pacific Halibut Permitting: The individual would decline to
provide PII/BII by not submitting information required for the
permitting process, and thus application would be denied.
NOAA4600 System Maintenance Information:
Employees and staff may decline to provide PII /BII for
emergency contact and disaster recovery by not filling in the
PII/BII information. Employees and staff may decline to provide
account information by not applying for an account, but this may
be required for their job duties.
No, individuals do not have an
opportunity to decline to provide
PII/BII.
7.3
Specify why not:
Indicate whether and how individuals have an opportunity to consent to particular uses of
their PII/BII.
X
Yes, individuals have an opportunity to
consent to particular uses of their
PII/BII.
Specify how:
WCGOP and OBSLOG Observation Information: Vessel
captains/owners may not consent to provide PII/BII (by not
providing notification to observers of planned trips, or not
allowing observers to board), but participation in a fishery
requires consent to carry an observer when directed to by the
agency and to provide information requested by the observer.
Observer coverage of fisheries is required by regulation and to
participate in the fishery, information must be collected for
management uses, including stock assessments, and may also be
used by law enforcement to investigate and prosecute potential
violations or criminal activity. There are no other uses.
OBSLOG Observer Application: Consent to the use of applicant
information for determination of eligibility for employment is
implied by completion of the application.
EDC: Vessel owners or captains may decline to provide consent
to the use of their data in economic analyses (this is the only use
of the data) by not completing the form, but failure to comply
may delay the completion of administrative actions such as
permit renewal, vessel registration, license issuance, and quota
transfers.
West Coast Groundfish Permits: The individual may choose to
decline to provide the required personal information or to
consent to the particular use of their personal information at that
time (see 7.2).
21
�Version Number: 01-2021
APPS: When the applicant sign the permit application, they are
consenting to the use of the PII/BII for the sole purpose of
processing the application.
Pacific Halibut Permitting: When the applicant submits a permit
application, they are consenting to the use of the PII/BII to
determine eligibility criteria.
No, individuals do not have an
opportunity to consent to particular uses
of their PII/BII.
7.4
NOAA4600 System Maintenance Information: Where specified
in NOAA Office of Human Capital Services forms, employees
have the opportunity to consent to particular use of their PII/BII.
Employee and staff General Personal Data information is
required for badging and emergency notifications but users may
decline to provide COOP info. Employees and staff are
informed of the use of their data, and these data are not used for
any other purpose.
Specify why not:
Indicate whether and how individuals have an opportunity to review/update PII/BII
pertaining to them.
X
Yes, individuals have an opportunity to
review/update PII/BII pertaining to
them.
Specify how:
WCGOP and OBSLOG Observation Information: Fisher
information is collected from state or federal agencies where
fishers submit the information in order to participate in the
fishery. Fishers may contact WCGOP administration or
permitting office by email or telephone to update their contact
information.
OBSLOG Observer Application: Observers are able to submit
updates or requests to view the data, to their observer provider.
EDC: Individuals may request their original submissions of
PII/BII from the federal office staff. They may update any
PII/BII via phone, fax, or mail.
West Coast Groundfish Permits:
When completing or renewing a permit application or
supporting document, or by calling or emailing the applicable
NMFS office at any time. Permits are completed online or by
reviewing and updating a paper renewal application pre-filled by
NMFS with their most recent information on the permit holder.
APPS: Application information (e.g. address, phone, CV or
resume) can be updated by the end user through the application.
Pacific Halibut Permitting: Application information can be
updated by the end user through the application.
NOAA4600 System Maintenance Information:
Instructions for updating contact information fields are provided
in the forms the customer fills out. NOAA Employees can
22
�Version Number: 01-2021
update PII on an as needed basis through their supervisor for
COOP and Emergency contact information.
No, individuals do not have an
opportunity to review/update PII/BII
pertaining to them.
Specify why not:
Section 8: Administrative and Technological Controls
Indicate the administrative and technological controls for the system. (Check all that
apply.)
8.1
X
X
X
X
X
X
X
X
X
X
X
X
8.2
All users signed a confidentiality agreement or non-disclosure agreement.
All users are subject to a Code of Conduct that includes the requirement for confidentiality.
Staff (employees and contractors) received training on privacy and confidentiality policies and practices.
Access to the PII/BII is restricted to authorized personnel only.
Access to the PII/BII is being monitored, tracked, or recorded.
Explanation: Sensitive information is being tracked in many ways. The first way is through journaling
tables where each transaction is logged into separate tables that only application admins can view.
Database and application auditing is also configured to provide another layer of tracking. Audit logs are
used to track access of system resources. Physical access is controlled through building access
monitoring and physical locks only accessible by authorized personnel.
The information is secured in accordance with the Federal Information Security Modernization Act
(FISMA) requirements.
Provide date of most recent Assessment and Authorization (A&A): November 15, 2024
☐ This is a new system. The A&A date will be provided when the A&A package is approved.
The Federal Information Processing Standard (FIPS) 199 security impact category for this system is a
moderate or higher.
NIST Special Publication (SP) 800-122 and NIST SP 800-53 Revision 4 Appendix J recommended
security controls for protecting PII/BII are in place and functioning as intended; or have an approved Plan
of Action and Milestones (POA&M).
A security assessment report has been reviewed for the information system and it has been determined
that there are no additional privacy risks.
Contractors that have access to the system are subject to information security provisions in their contracts
required by DOC policy.
Contracts with customers establish DOC ownership rights over data including PII/BII.
Acceptance of liability for exposure of PII/BII is clearly defined in agreements with customers.
Other (specify):
Provide a general description of the technologies used to protect PII/BII on the IT system.
(Include data encryption in transit and/or at rest, if applicable).
NOAA4600 utilizes Data Resource Accounts, and Access Control Levels allow authorized staff to access
NOAA4600 data which may contain PII or BII. Computer account types include, but, are not limited to,
Domain Accounts, Email/LDAP Accounts, Unix Accounts, Intranet Accounts, and Local System
Accounts. Group memberships are used to assign Security Access Controls to authorized Data Resource
Accounts. NOAA4600 applies Least Privilege and Least Functionality principles when providing security
clearance. Access Enforcement Mechanisms (Encryption-at-Rest for offline media, Encryption-in-Transit,
Distributed Directory Services) are implemented to prevent malicious or accidental access by unauthorized
persons.
23
�Version Number: 01-2021
Section 9: Privacy Act
9.1
Is the PII/BII searchable by a personal identifier (e.g,, name or Social Security number)?
X
Yes, the PII/BII is searchable by a personal identifier.
No, the PII/BII is not searchable by a personal identifier.
Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. §
552a. (A new system of records notice (SORN) is required if the system is not covered by
an existing SORN).
9.2
As per the Privacy Act of 1974, “the term ‘system of records’ means a group of any records under the control of any agency from which
information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned
to the individual.”
X
Yes, this system is covered by an existing system of records notice (SORN).
Provide the SORN name, number, and link. (list all that apply):
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG):
•
NOAA-6, Fishermen's Statistical Data
•
NOAA-15, Monitoring of National Marine Fisheries Service Observers
Economic Data Collection (EDC):
• NOAA-23, Economic Data Collection (EDC) Program for West Coast Groundfish Trawl Catch
Share Program off the coast of Washington, Oregon, and California
West Coast Groundfish Permits and Office of Law Enforcement (OLE) Vessel Monitoring System (VMS):
•
NOAA-19, Permits and Registrations for United States Federally Regulated Fisheries
NOAA4600 System Maintenance Information:
• COMMERCE/DEPT-25, Access Control and Identity Management System
Authorizations and Permits For Protected Species (APPS):
• NOAA-12, Marine Mammals, Endangered and Threatened Species, Permits and Authorizations
Applicants
Pacific Halibut Permitting:
•
NOAA-19, Permits and Registrations for United States Federally Regulated Fisheries
Employee/Contractor Badging/COOP
• COMMERCE/DEPT-18, Employee Personnel Files Not Covered by Notices of Other Agencies
COVID-19 Visitor Log Information
• COMMERCE/DEPT-31, Public Health Emergency Records of Employees, Visitors, and Other
Individuals at Department Locations
Yes, a SORN has been submitted to the Department for approval on (date).
No, this system is not a system of records and a SORN is not applicable.
24
�Version Number: 01-2021
Section 10: Retention of Information
10.1 Indicate whether these records are covered by an approved records control schedule and
monitored for compliance. (Check all that apply.)
X
There is an approved record control schedule.
Provide the name of the record control schedule:
West Coast Groundfish Observer Program (WCGOP) and Observer Logistics (OBSLOG:
1502-02 Survey Operations Files; 1513-10 Observer Program Files
Economic Data Collection (EDC):
All records are retained and disposed of in accordance with National Archives and Records Administration
regulations (36 CFR Subchapter XII, Chapter B-Records Management);Departmental directives and
comprehensive records schedules; NOAA Administrative Order 205-01; and the NMFS Records
Disposition Schedule, Chapter 1500.
West Coast Groundfish Permits:
NOAA 1504-11; NOAA 1514-01
Authorizations and Permits for Protected Species (APPS):
NOAA 1514-01
Pacific Halibut Permitting:
NOAA 1504-11; NOAA 1514-01
NOAA4600 System Maintenance Information:
• GRS 2.1
Employee Acquisition Records
• GRS 2.2
Employee Management Records
• GRS 2.3
Employee Relations Records
• GRS 2.4
Employee Compensation & Benefits Records
• GRS 2.5
Employee Separation Records
• GRS 2.6
Employee Training Records
• GRS 2.7
Employee Health & Safety Records
• GRS 3.1 General Technology Management Records, Item 040: Information technology oversight and
compliance records,
• GRS 3.2 Information Systems Security Record, Items 030, 031: System access records,
NOAA Records Schedules: 1406-01, In Situ and remotely Sensed Environmental Data; 1406- 02,Order
Processing Information Systems; 1406-03, Metadata Management Database.
No, there is not an approved record control schedule.
Provide the stage in which the project is in developing and submitting a records control schedule:
X
Yes, retention is monitored for compliance to the schedule.
No, retention is not monitored for compliance to the schedule. Provide explanation:
10.2 Indicate the disposal method of the PII/BII. (Check all that apply.)
25
�Version Number: 01-2021
Disposal
Shredding
Degaussing
Other (specify):
X
Overwriting
Deleting
X
X
Section 11: NIST Special Publication 800-122 PII Confidentiality Impact Level
11.1 Indicate the potential impact that could result to the subject individuals and/or the
organization if PII were inappropriately accessed, used, or disclosed. (The PII
Confidentiality Impact Level is not the same, and does not have to be the same, as the
Federal Information Processing Standards (FIPS) 199 security impact category.)
X
Low – the loss of confidentiality, integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.
Moderate – the loss of confidentiality, integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or individuals.
High – the loss of confidentiality, integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational assets, or individuals.
11.2 Indicate which factors were used to determine the above PII confidentiality impact level.
(Check all that apply.)
Identifiability
X
X
X
X
Provide explanation:
Quantity of PII
Provide explanation:
The Information collects and maintains records which may be
perceived as sensitive or potentially damaging for individuals or
business related to the West Coast Observer Program, Economic
Data Collection Program and West Coast Groundfish Permits
Programs.
Data Field Sensitivity
Provide explanation:
The IFQ and Permits applications contains moderately sensitive PII
and BII, such as name, address, Tax ID number, and ownership
interest. The IFQ system also maintains unique Vessel Account
Identification numbers and manages Vessel Account balances and
deficit tracking. This type of information is considered privileged,
and unauthorized disclosure is prohibited by the Magnuson-Stevens
Act, the Privacy Act, and laws prohibiting disclosure or
unauthorized access.
Context of Use
Provide explanation:
Use of information for law enforcement activities
Obligation to Protect Confidentiality Provide explanation:
Magnuson-Stevens Fishery Conservation & Management. Act, Sec.
402. ø16 U.S.C. 1881a¿ Information Collection.
Access to and Location of PII
Provide explanation:
Other:
Provide explanation:
26
�Version Number: 01-2021
Section 12: Analysis
12.1 Identify and evaluate any potential threats to privacy that exist in light of the information
collected or the sources from which the information is collected. Also, describe the
choices that the bureau/operating unit made with regard to the type or quantity of
information collected and the sources providing the information in order to prevent or
mitigate threats to privacy. (For example: If a decision was made to collect less data,
include a discussion of this decision; if it is necessary to obtain information from sources
other than the individual, explain why.)
The Information collects and maintains records that may be perceived as sensitive or potentially
damaging for individuals or business related to the West Coast Observer Program, Economic Data
Collection Program and West Coast Groundfish Permits Programs. Any process or person that would
disclose this data in an unauthorized or negligent manner would be considered a threat. All collected
information collected was deemed as important by the programs that manage the processes and is
important for fisheries management.
NOAA4600 has put controls in place (i.e., encryption at rest and proper access controls) to ensure
that the information is handled, maintained and disposed appropriately. Further, NOAA4600 follows
DOC and NOAA mandates as well as trains applicable personnel to ensure everyone has a certain
knowledge of proper security practices. This does not cause any new privacy risks.
12.2 Indicate whether the conduct of this PIA results in any required business process changes.
Yes, the conduct of this PIA results in required business process changes.
Explanation:
X
No, the conduct of this PIA does not result in any required business process changes.
12.3 Indicate whether the conduct of this PIA results in any required technology changes.
Yes, the conduct of this PIA results in required technology changes.
Explanation:
X
No, the conduct of this PIA does not result in any required technology changes.
27
�Version Number: 01-2021
Points of Contact and Signatures
Information System Security Officer or
System Owner
Information Technology Security Officer
Name: Anthony Yang
Office: NOAA/NMFS/NWFSC
Phone: 206-860-3415
Email: Tony.Yang@noaa.gov
Name: Catherine Amores
Office: NOAA/NMFS/OCIO
Phone: 301-427-8871
Email: Catherine.Amores@noaa.gov
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
YANG.ANTHONY.S.13 Digitally signed by
YANG.ANTHONY.S.1365883897
Date: 2025.01.27 14:35:39 -08'00'
Signature: 65883897
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
Date signed:
1/27/25
Signature:
AMORES.CATHERINE.S
OLEDAD.1541314390
Date signed:
1/29/25
Privacy Act Officer
Authorizing Official
Name:
Office:
Phone:
Email:
Name: Nicolle Hill
Office: NOAA/NMFS/NWFSC
Phone: 425-666-9890
Email: Nicolle.Hill@noaa.gov
Robin Burress
NOAA OCIO
828-271-4695
Robin.Burress@noaa.gov
I certify that the appropriate authorities and SORNs (if applicable)
are cited in this PIA.
Signature:
Date signed:
Robin.Burress
2025.01.30 07:17:11
-05'00'
1/30/25
Digitally signed by
AMORES.CATHERINE.SOLEDAD.1541314390
Date: 2025.01.29 10:26:02 -05'00'
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
Digitally signed by Nicolle Hill
Date: 2025.01.27 15:37:22 -08'00'
Signature:
Date signed:
1/27/25
Bureau Chief Privacy Officer
Name:
Office:
Phone:
Email:
Mark Graff
NOAA OCIO
301-628-5658
Mark.Graff@noaa.gov
I certify that the PII/BII processed in this IT system is necessary
and this PIA ensures compliance with DOC policy to protect
privacy.
signed by
GRAFF.MARK.HYRUM Digitally
GRAFF.MARK.HYRUM.1514447892
Date: 2025.02.05 08:30:17 -05'00'
Signature: .1514447892
Date signed:
2/5/25
This page is for internal routing purposes and documentation of approvals. Upon final
approval, this page must be removed prior to publication of the PIA.
28
�
| File Type | application/pdf |
| Author | lmartin1 |
| File Modified | 2025-02-05 |
| File Created | 2025-01-27 |