Privacy Impact Assessment for the Correspondence Management System

On this page:

I. Data in the System

  1. Generally describe what data/information will be collected in the system.

    CMS captures metadata relating to internally and externally generated Agency correspondence; draft responses (including versions); scanned (.pdf) copies of incoming correspondence, outgoing responses and final documents; and electronic versions of supporting documents. The application also captures information relating to workflows, including which Agency employees created, modified, reviewed, or concurred on the documents in the application and when they did it.

  2. What are the sources and types of the information in the system?

    Correspondence is generated by EPA employees, members of the public, stakeholders, industry, academia, Congress, the White House, and state, local, tribal, and international governments. Information may be received in hard copy or electronic format (most commonly e-mail).

  3. How will the data be used by the Agency?

    The data is used to facilitate the dissemination of information to the public, stakeholders, and government officials. It is also used to facilitate searches of Agency records responsive to Freedom of Information Act and legal discovery requests, as well as Congressional inquiries.

  4. Why is the information being collected? (Purpose)

    To track, route, and store incoming and outgoing Agency correspondence from and to members of the public, private, and governmental sectors.

Top of Page

II. Access to the Data

  1. Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?

    No external parties have access to this application. The FAR clauses are included in the CMS maintenance contract. Only EPA employees or authorized contractors have access to the data/information in CMS. Access is limited according to the individual's office and his or her assigned role. In general, an individual may only access a control (the CMS term for the virtual folder containing the scanned images, files, and metadata for each piece of correspondence tracked using the application) if she or he created the control, modified the control, edited the control, or was granted viewing authority by the creator of the control. In this way, access to CMS records mirrors access to hard-copy records.

  2. What controls are in place to prevent the misuse of data by those having authorized access?

    Only EPA employees and contractors may request access to this system, which means they 1) have passed a background check appropriate to their responsibilities; and 2) receive periodic security, Privacy Act, and records management training.

  3. Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)


  4. Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)


  5. Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)

    No. Anyone writing to the U.S. Environmental Protection Agency voluntarily shares the content of their letter, their name, and whatever contact information they provide. CMS does nothing more than capture this information in an electronic format for internal tracking, workflow control, and retrieval purposes.

Top of Page

III. Attributes of the Data

  1. Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.

    The data captured in the system is essential to its operation. Without sufficient metadata or scanned images, this paperless document tracking and workflow management system could not function.

  2. If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.


  3. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.


  4. How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)

    Data may be retrieved through ordinary simple and compound query functions by searching on metadata elements. Name components are searchable metadata, so data can be retrieved by a personal identifier.

  5. Is the Web privacy policy machine readable? Where is the policy stated? (Machine readable technology enables visitors to easily identify privacy policies and make an informed choice about whether to conduct business with that site.)

    CMS is available to authorized users only within the secure EPA network (inside the firewall). It is not accessible by members of the public. Therefore, no privacy policy message is required.

Top of Page

IV. Maintenance of Administrative Controls

  1. Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)

    A records schedule is under development for the system, No. 77. Electronic data is disposable and will be kept for the length of time required by the applicable records schedule. (CMS is not certified as an electronic system of record, so EPA creates and manages hard copy records that correspond to the information contained in CMS. Each of these hard copy records are maintained in accordance with their associated records schedules.)

  2. While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

    Data retention is governed by the applicable records schedules. Beyond normal security controls designed to prevent hacking into the system or otherwise modifying or accessing content without permission, no other controls exist for making the determinations listed above.

  3. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

    To the extent that a correspondent's name and address remain unchanged, the system could be used to identify or locate an individual for as long as the record(s) associated with the individual exist.

  4. Does the system use any persistent tracking technologies?


  5. Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)

    EPA-22 Correspondence Management System (CMS)

Top of Page