Privacy Impact Assessment for the Enterprise Process Automation System (EPAS)
July 15, 2011
Issuing Official
James J. Landon
Privacy and Civil Liberties Officer
Office of General Counsel
Reviewing Official
Vance E. Hitch
Chief Information Officer
Department of Justice
Appproving Official
Nancy C. Libin
Chief Privacy and Civil Liberties Officer
Department of Justice
The Enterprise Process Automation System (EPAS) implements a workflow system on the FBINET to serve as a standard for automated business processes. As part of a major initiative by the Director’s Office, the Resource Planning Office (RPO), Business Process Management Unit (BPMU), which is the EPAS system owner, was tasked with deploying the EPAS project to host automated business processes as they are developed and deployed by both the RPO and other Divisions.
EPAS replaces out-dated manual work processes and stand-alone spreadsheets and databases with an efficient, cohesive, highly automated information sharing system. The enhanced capabilities will allow the FBI to reduce risk to people, information, operations, equipment, and facilities, and to share selected information within the FBI. These applications support FBI’s administrative operations including the management of its human resources and payroll functions, hiring, and security.
The EPAS system includes personnel data obtained directly from the individual, the individual’s supervisor, the National Finance Center (NFC), the Bureau Personnel Management System (BPMS), the Financial Management System (FMS) or from background investigation interviews. Data is captured for approximately 32,000 FBI employees, 20,000 plus contractors, and applicants. Access is limited to FBI personnel and is restricted based on area of purview.
The following processes have been automated and the associated workflows are hosted in the EPAS environment: [For details please see Appendix A]
1. Intra-Government Payment and Collection Process (IPAC) – Finance Division (FD)
2. SF-52 Process – Human Resources Division (HRD)
3. Priority Hiring Process - RPO
4. Professional Staff Hiring Process - HRD
5. Awards Process - HRD
6. Automated Special Agent Promotion Process (ASAPP) - HRD
7. Transfers Process – HRD/FD
8. Clearance Processing System (CPS) – Security Division (SecD)
9. System Access Request process – Information Technology Operations Division (ITOD)
10. BPMU Issue Tracking System (BITS)
11. Training Request and Budgeting System/Travel Expense Enterprise (TRUSTEE) – Training Division (TD)
12. Automated Requisition Tool (ART) – FD
13. Self-Reporting Sub-Programs (SRSP) - SecD
Forms in EPAS that relate to financial matters and contain information on the payment of vouchers will collect an employee’s name, social security number (SSN), date of birth (DOB), or information included on requisitions. Personnel data includes name, SSN, DOB, address, pay grade and is used to process promotions, evaluate job applications, create user accounts on FBINET or UNET, process awards, and track service agreements. Data collected for security background purposes includes name, SSN, DOB, current and previous addresses, and family members.
EPAS will continue to host additional workflow processes as they are developed. Potential future uses include the automation of the requisition process, automation of the Special Agent Personnel Resource List, collection of training/travel information and interfaces with Virtual Academy, and the collection of security information on employee foreign travel, roommates, and external employment.
This PIA covers the forms currently in EPAS and any additional forms that support FBI’s administrative operations including the management of its human resources and payroll functions, hiring, and security. The FBI’s Privacy and Civil Liberties Officer will require a PTA on other workflows that may be added to EPAS.
Section 1.0
The System and the Information Collected and Stored Within the System
1.1. What information is to be collected?
The system captures personally identifiable information such as name, address, SSN, telephone number, e-mail address, DOB, user IDs, and other types of information listed in Appendix A and in the introduction in order to automate the above-mentioned processes.
EPAS contains management information necessary to identify workload problems, processing times, and general trends important to managing the automated processes. Management information is metrics on processing (numbers, time, bottlenecks, etc) provided in order to allow them to make informed decisions. EPAS contains information about non-employees only insofar as it is contained in an employee file, such as the relatives listed on an SF-86 security questionnaire or on a self-reporting program tracked by Security Division (i.e. roommates, foreign contacts). This is not ingested, except to the extent that information about an individual is necessary for the application or reinvestigation process. All the information is cross-checked with information contained on relevant forms. EPAS provides information which makes it possible to determine the date the record was created, and when, and what changes were made. EPAS records can be subject to internal manual audits to verify proper operation of the system.
1.2. From whom is the information collected?
The data is obtained from the BPMS, NFC and/or directly from the individual or individual’s supervisor, either through a phone call, information the applicant submitted through the QuickHire application, or through the SF-86.
Information collected through the background investigation and not directly from the individual is explained in the PIA for the Security Management Information Systems, dated October 10, 2005, and the updated PTA completed March 23, 2009.
Section 2.0
The Purpose of the System and the Information Collected and Stored Within the System
2.1. Why is the information being collected?
As a workflow tool, EPAS has automated multiple paper intensive processes. The EPAS system automates information collection to make it more efficient by replacing out-of-date work processes, stand-alone spreadsheets, and databases with an efficient, cohesive information sharing system. rior to EPAS, data was collected and stored in BPMS, various Security Division databases, or on paper forms. The EPAS system serves as a central repository for various entities within the FBI to share data in order to streamline the hiring process for applicants, provide a framework for the background investigation, and to pay Bureau employees. The information collected is necessary to effectuate each of the processes. (See Appendix A for a description of each process and the reason data is collected.)
2.2. What specific legal authorities, arrangements, and/or agreements authorize the collection of information?
The collection of data is consistent with general recordkeeping statutes, 5 U.S.C. 301 and 44 U.S.C. 3101.
2.3. Privacy Impact Analysis: Given the amount and type of data collected, as well as the purpose, discuss what privacy risks were identified and how they were mitigated.
One of the privacy risks identified is overcollection. This risk is mitigated since the data collected in EPAS is the same data that was previously collected in paper forms.
Another risk identified is improper access to the data or misuse of the information in the database. During development of the system, the EPAS team specifically outlined different roles within each process to ensure the enforcement of separation of duties and that information is presented only on a need-to-know basis. User accounts are managed through the FBI’s Active Directory database for user access to the FBI Secret Enclave. EPAS will control and limit user access based on identification and authentication of the user. Users are not able to perform actions without proper user privileges. When an EPAS user attempts to access the system through single sign on, EPAS determines the logon ID of the incoming user and then checks the EPAS user database to verify the user is authorized to access the system. If the user has an account for a process in EPAS, he or she is provided access to the EPAS interface and that specific process.
Additionally, PII is only available for people whose roles require the information to perform their duties. The SSNs are masked on the user interface which is viewed by the general users. In some of the processes only the last 4 digits of the SSN are required for validation purposes.
EPAS users must fill out a System Access Request (SAR), which is approved by their Division POC and then, if required, the system owner. Upon approval, the SAR will be provided to the appropriate Process Administrator for account creation. This ensures that no one will have access to a specific record unless he/she, by virtue of his/her official function or responsibility, has been pre-authorized by the responsible record or data owner.
Furthermore, there will be an audit trail in which all changes made to the records will be time and date stamped with the identity of the person accessing the record and making the change. System actions taken by EPAS users are recorded in a history table, which records the time and date the action was taken, who took the action and the name of the action taken. This is useful for auditing and oversight purposes.
The strict enforcement policy ensures that access is granted only to those individuals with a verified need-to-know the information and whose identity has been authenticated. In addition, user roles are reviewed at least once a year to ensure only employees with a need have access to a process within EPAS.
Section 3.0
Uses of the System and the Information
3.1. Describe all uses of the information.
The forms in EPAS relate to personnel, security, and financial actions and the data collected will be used to process SF-52 personnel actions properly through the National Finance Center (NFC); pay awards through NFC; process applicants through the hiring and background process; manage the transfer process payment of vouchers; manage the system access requests; track and manage the Special Agent promotion process; track continuing service agreements; track the Personnel Resource List; collect information for Security Division on roommates, foreign travel, external employment; manage the requisition process; track the flow of information for the National Name Check Program; submit position classification requests; track and manage training budgets/requests; and other processes that relate to personnel, security, and financial actions. EPAS will continue to host additional workflow processes, consistent with the categories listed above, as they are developed. Records contained in EPAS are covered under the Central Records System (CRS) SORN-JUSTICE/FBI-002 and the BPMS SORN- JUSTICE/FBI-008.
3.2. Does the system analyze data to assist users in identifying previously unknown areas of note, concern, or pattern (sometimes referred to as data mining)?
EPAS can be used to create reports, but those are limited to efficiency and productivity reports indicating how well or how long a process is operating. For example, reports are created to indicate how much of a field office’s award budget has been used or how long it takes to hire an external applicant. No pattern-based data mining is conducted on any personally identifiable information in EPAS.
3.3. How will the information collected from individuals or derived from the system, including the system itself be checked for accuracy?
EPAS data is cross-validated against BPMS, FSS, and EDS. EPAS has built-in software validation checks that prevent inconsistent or incomplete data entries.
3.4. What is the retention period for the data in the system? Has the applicable retention schedule been approved by the National Archives and Records Administration (NARA)?
The retention schedule has been approved by NARA. The EPAS team is working with RMD to implement the retention schedules as appropriate. The retention schedule requires EPAS to keep transactional data created through the workflow processes for three years. Since EPAS is the source for system access requests, the data from that process must be kept until six years after the employee leaves Bureau employment.
3.5. Privacy Impact Analysis: Describe any types of controls that may be in place to ensure that information is handled in accordance with the above described uses.
EPAS system administrators are the only individuals with the (backend) database access. EPAS will provide information making it possible to determine the date the record was created or modified, what changes were made, and who modified it. EPAS records can be subject to internal manual audits to verify proper operation of the system. Please refer to section 2.3 for additional controls that are in place.
Section 4.0
Internal Sharing and Disclosure of Information Within the System
4.1. With which internal components of DOJ is the information shared?
The data is not shared with other internal components of DOJ.
4.2. For each recipient component or office, what information is shared and for what purpose?
N/A
4.3. How is the information transmitted or disclosed?
N/A
4.4. Privacy Impact Analysis: Considering the extent of internal information sharing, discuss what privacy risks were identified and how they were mitigated.
N/A
Section 5.0
External Sharing and Disclosure
5.1. With which external (non-DOJ) recipient(s) is the information shared?
EPAS sends information through a flat file upload to the National Finance Center to facilitate the upload of employee payroll details (SF-52 changes, awards, etc.).
5.2. What information is shared and for what purpose?
Payroll details.
5.3. How is the information transmitted or disclosed?
The information is sent through a flat file upload.
5.4. Are there any agreements concerning the security and privacy of the data once it is shared? If possible, include a reference to and quotation from any MOU, contract, or other agreement that defines the parameters of the sharing agreement.
DOJ mandated the use of NFC. FBI is not aware of any agreements that may have been negotiated on the components behalf. The sharing of FBI payroll information with the National Finance Center is covered under the Department of Justice Payroll Division SORN, JMD-003.
5.5. What type of training is required for users from agencies outside DOJ prior to receiving access to the information?
Unknown.
5.6. Are there any provisions in place for auditing the recipients’ use of the information?
Unknown.
5.7. Privacy Impact Analysis: Given the external sharing, what privacy risks were identified and how were they mitigated?
This relationship was mandated by DOJ so FBI is not aware of the privacy risks that were identified and/or on our behalf. Records contained in EPAS are covered under the Central Records System (CRS) SORN-JUSTICE/FBI-002, the BPMS SORN- JUSTICE/FBI-008, and the Department of Justice Payroll Division SORN- JMD-003. FBI reserves the right to disclose records in accordance with the routine uses.
Section 6.0
Notice
6.1. Was any form of notice provided to the individual prior to collection of information? If yes, please provide a copy of the notice as an appendix. (A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice.) If notice was not provided, why not?
Yes, a Privacy Act notice is provided to individuals upon logging into EPAS for forms that are filled out by the employee. See Appendix B. As part of its workflow automation, EPAS automated the paper intensive processes but it does not collect any new information beyond what was previously collected. Prior to EPAS, the data was collected and stored in BPMS, various Security Division databases, and on paper. The privacy policy is posted on the Business Process Management Unit BPMU web site and a link to the privacy notice is displayed on the EPAS system. The EPAS system captures the personally identifiable information directly from the individual, the individual’s supervisor, BPMS, QuickHire, and information listed on an applicant’s SF-86 Form. In the future, EPAS could collect information from Virtual Academy and any system that replaces BPMS. Both QuickHire and the SF-86 Forms have Privacy Notices (See Appendix C). The Privacy Act notice will be displayed to users of EPAS. Additionally, records contained in EPAS are covered under the Central Records System (CRS) SORN-JUSTICE/FBI-002 and the BPMS SORN- JUSTICE/FBI-008.
6.2. Do individuals have an opportunity and/or right to decline to provide information?
Yes, the notices indicate that the completion of the forms is voluntary.
6.3. Do individuals have an opportunity to consent to particular uses of the information? If such an opportunity exists, what is the procedure by which an individual would provide such consent?
The information provided by the user is used solely for the particular personnel or security process. For example, if a person applies for transfer, their information will only be used within the transfer process. The privacy policy indicates that the individuals have the right to decline to provide the information if they choose not to consent to the uses, in which case they forego the application for that process. The privacy policy is posted on the BPMU web site and the privacy notice is displayed on the EPAS system.
6.4. Privacy Impact Analysis: Given the notice provided to individuals above, describe what privacy risks were identified and how you mitigated them.
A Privacy Act notice is available on the BPMU website and is a required page to pass through upon logging into EPAS. Additionally, as the information contained in the forms in EPAS is derived from official records uploaded in the CRS and BPMS, the system is covered by those SORNs. These SORNs have been published in the Federal Register, thus providing notice and mitigating the privacy risk.
Section 7.0
Individual Access and Redress
7.1. What are the procedures which allow individuals the opportunity to seek access to or redress of their own information?
If appropriate, the form in the workflow process will contain a Privacy Act notice which includes provision for individuals to have the opportunity to seek access or redress of their own information.
7.2. How are individuals notified of the procedures for seeking access to or amendment of their information?
The Privacy Act notices include provisions for individuals to have the opportunity to seek access or redress of their own information. The privacy policy is posted on the BPMU web site and directions for seeking access or to redress information is also available on BPMU’s website.
7.3. If no opportunity to seek amendment is provided, are any other redress alternatives available to the individual?
N/A
7.4. Privacy Impact Analysis: Discuss any opportunities or procedures by which an individual can contest information contained in this system or actions taken as a result of agency reliance on information in the system.
The Privacy Act notices include provisions for individuals to have the opportunity to seek access or redress of their own information.
Section 8.0
Technical Access and Security
8.1. Which user group(s) will have access to the system?
Managers, system administrators, contractors, developers, and authorized users who have a need-to-know the information.
8.2. Will contractors to the Department (DOJ/FBI) have access to the system? If so, please submit a copy of the contract describing their role with this PIA.
Yes, contractors to the Department (DOJ/FBI) have access to the system. Currently, the contractors working on EPAS are Booz Allen Hamilton and Dynamic System Solutions, Inc. (DSSI).
8.3. Does the system use “roles” to assign privileges to users of the system?
Yes, please refer to section 2.3 and 3.5.
8.4. What procedures are in place to determine which users may access the system and are they documented?
As noted in section 2.3 and 3.5, users must submit a System Access Request (SAR) to gain access to any process in EPAS. After Division POC approval, the form must be signed by a process owner before access is granted. As of July 20, 2009, all approvals for EPAS will be maintained within the system. Prior to this date, all approvals were collected and maintained via signed forms.
8.5. How are the actual assignments of roles and rules verified according to established security and auditing procedures?
During development of the system, the EPAS team specifically outlined different roles within each process to ensure the enforcement of separation of duties and that information is presented only on a need-to-know basis. User accounts are managed through the FBI’s Active Directory database for user access to the FBI Secret Enclave. EPAS will control and limit user access based on identification and authentication of the user. Users are not able to perform actions without proper user privileges. When an EPAS user attempts to access the system through single sign on, EPAS determines the logon ID of the incoming user and then checks the EPAS user database to verify the user is authorized to access the system. If the user has an account in EPAS, he or she is provided access to the EPAS interface.
EPAS users must fill out a Security Access Request (SAR), which is approved by their Division POC and then, if required, the system owner. Upon approval, the SAR will be provided to the appropriate Process Administrator for account creation. This ensures that no one will have access to a specific record unless he/she, by virtue of his/her official function or responsibility, has been pre-authorized by the responsible record or data owner.
Furthermore, there will be an audit trail in which all changes made to the records will be time and date stamped with the identity of the person accessing the record and making the change. System actions taken by EPAS users are recorded in a history table, which records the time and date the action was taken, who took the action and the name of the action taken. This is useful for auditing and oversight purposes.
The strict enforcement policy ensures that access is granted only to those individuals with a verified need-to-know the information and whose identity has been authenticated. The user roles for EPAS are validated annually. The process owner can audit the user roles for their process by submitting a request via EC to the BPMU Unit Chief.
8.6. What auditing measures and technical safeguards are in place to prevent misuse of data?
Privacy risks identified include improper access to the data and misuse of the information in the database. During development of the system, the EPAS team specifically outlined different roles within each process to ensure the enforcement of separation of duties and that information is presented only on a need-to-know basis. User accounts are managed through the FBI’s Active Directory database for user access to the FBI Secret Enclave. EPAS will control and limit user access based on identification and authentication of the user. Users are not able to perform actions without proper user privileges. When an EPAS user attempts to access the system through single sign on, EPAS determines the logon ID of the incoming user and then checks the EPAS user database to verify the user is authorized to access the system. If the user has an account for a process in EPAS, he or she is provided access to the EPAS interface for that process
EPAS users must fill out a System Access Request (SAR), which is approved by their Division POC and then, if required, the system owner. Upon approval, the SAR will be provided to the appropriate Process Administrator for account creation. This ensures that no one will have access to a specific record unless he/she, by virtue of his/her official function or responsibility, has been pre-authorized by the responsible record or data owner.
Furthermore, there will be an audit trail in which all changes made to the records will be time and date stamped with the identity of the person accessing the record and/or making the change. System actions taken by EPAS users are recorded in a history table, which records the time and date the action was taken, who took the action and the name of the action taken. This is useful for auditing and oversight purposes.
The strict enforcement policy ensures that access is granted only to those individuals with a verified need-to-know the information and whose identity has been authenticated.
8.7. Describe what privacy training is provided to users either generally or specifically relevant to the functionality of the program or system?
Authorized users are required to take INFOSEC training annually. Additionally, all privileged users of the system take the yearly Privileged User and Privacy training offered by the FBI. Training on specific EPAS functions is provided to users when new processes are rolled out. EPAS training is also available via the FBI intranet.
8.8. Is the data secured in accordance with FISMA requirements? If yes, when was Certification & Accreditation last completed?
Yes; September 30, 2007. The Authority to Operation expires in March 2012.
8.9. Privacy Impact Analysis: Given the access and security controls, what privacy risks were identified and how they were mitigated?
Some of this information may be particularly sensitive, and risks would include the possibility of access by unauthorized persons within the FBI. These risks are mitigated by having a role based system and by using SAR to streamline the system access approval through the process owner.
Within the FBI, the automated data is only accessible through the FBI’s internal FBINET. Access to EPAS applications is driven by FBI’s Active Directory database (AD) for user access to the FBI Secret Enclave. Users must have a valid entry and password in the AD to access EPAS. EPAS will control and limit user access based on identification and authentication of the user. EPAS is a role-based system. Users are not able to perform actions without proper user privileges. When an EPAS user attempts to access the system through single sign on, EPAS determines the logon ID of the incoming user and then checks the EPAS user database to verify the user is authorized to access the system. If the user has an account for a process in EPAS, he or she is provided access to the EPAS interface for that process. All authorized personnel who interact with the system have an active top secret clearance.
EPAS users must fill out a SAR, which is approved by their Division POC and then the system owner. Upon approval, the SAR will be provided to the appropriate Process Administrator for account creation. System actions taken by EPAS users are recorded in a history table. This records the time and date the action was taken, who took the action and the name of the action taken. This is useful for auditing purposes and oversight purposes.
Section 9.0
Technology
9.1. Were competing technologies evaluated to assess and compare their ability to effectively achieve system goals?
No. EPAS is built on the Metastorm Business Process Management product as the enterprise license for Metastorm had already been purchased by the Sentinel project. Metastorm is a commercially available off the shelf (COTS) IT product developed by Metastorm, Inc. The COTS product is used to manage workflow in both the private and public sectors.
9.2. Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system.
Metastorm/EPAS went through Security Division’s Certification and Accreditation (C&A) process before purchasing the product. This process ensures all IT products purchased meet minimum requirements for security (including data integrity and privacy concerns). See Policy 0141D, Policy Directive Title “Information Systems Certification and Accreditation” dated 10/31/2008 for more details on the C&A process.
9.3. What design choices were made to enhance privacy?
The personally identifiable information was only available for users whose roles required the information to perform their duties. The SSNs were masked on the user interface which is viewed by the general users. In some of the processes only the last 4 digits of the SSN were required for validation purposes. EPAS team is exploring the option to use the unique employee identifier from BPMS instead of using the SSN.
Additionally, the automation of paper processes that EPAS provides will assist the FBI in ensuring that the records are accurate, complete, and timely.
Conclusion
As part of its automation of existing, primarily paper intensive, data collection methods, EPAS does not collect any new information or data than beyond what was previously collected. It will result in more information being readily accessible for authorized purposes, permitting a more efficient analysis of data that is either already in the FBI’s possession or accessible to the FBI. Although EPAS provides for the consolidation of data, it does not involve any new collection techniques that might affect personal privacy. The automation will make this more efficient, and will assist the FBI in ensuring that the records are accurate, complete, and timely. Within the FBI, the automated data is only accessible through the FBI’s internal FBINET (secret classified network). All the authorized individuals accessing EPAS system have an active top secret security clearance. As outlined above, BPMU can ensure the security of the system through audits of activity and accountings of disclosures.
The FBI will continue to place an emphasis on privacy as the system develops. In addition to ensuring adequate security requirements are in place to protect the information, the FBI will also consider whether any information in the system should be shared with other agencies consistent with Privacy Act requirements and, if so, how to best protect individual privacy during any such information-sharing. The FBI will also consider how best to balance a design for individuals to be notified of, to access, and to correct information in the system with the business needs of the system. The FBI will evaluate the status of the records in the system so as to comply with all Federal Records Act requirements. The FBI will consider any viable alternatives in order to arrive at a system design that is efficient, effective and that protects individual privacy. Before system implementation or at any point if significant changes occur that warrant a separate privacy impact assessment, the FBI will publish an update to this PIA.
Appendix A
1. Intra-Government Payment and Collection Process (IPAC): The IPAC Workflow is the Finance Division’s automated back-end reconciliation process for payments made to and received from other government agencies. The Commercial Payments & Confidential Services Unit (Finance Division) uses this workflow to work with Contracting Officers, Program Managers, and Contracting Officers Technical Representatives (COTRs) to account for and process IPACs. The FBI processes over $1 billion IPACs per year using this workflow. The names of the employees in the above positions will be collected in the workflow.
2. SF-52 process: SF-52 is a process that automated the Request for Personnel Action SF-52 form which electronically links all personnel involved in processing SF-52 requests for FBI employees. The SF-52 process controls (initiates/modifies) all personnel actions that affect an employee (i.e. promotions, demotions, retirements, within grade increases, quality step increases).With the new system, field offices/divisions can enter the SF-52 in the field and monitor with true accountability the process all the way through to the transmission of the SF-52 to National Finance Center. The SF‑52 EPAS process provides users with an intuitive, single‑entry, error‑proofed, and managed workflow tool that dramatically improves SF‑52 information quality. The SF‑52 process includes sensitive personnel data (name, SSN, DOB, address, phone, grade, salary, EOD date) from the National Finance Center (NFC) and the Bureau Personnel Management System (BPMS). The SF‑52 process went live in the EPAS in November 2007. (A PTA was written for this system May 14, 2007.)
3. RPO Priority Hiring is the workflow process that allows users to submit requests to fill professional staff vacancies or realign Funded Staffing Levels (FSL) within an office. In addition, requests involving “protected” positions are seamlessly routed to the proper Headquarters program manager for concurrence prior to submission to the RPO. The only PII collected in this process is the name of the employee.
4. Professional Staff Hiring Process: Cost to the Bureau of a slow and complicated staffing process includes wasted time, excess costs, and the loss of potential quality hires due to frustration or simply other jobs. The Professional Staff Hiring Process was automated by utilizing the EPAS to reduce the time required to staff a position, while incorporating features that reduce errors, track metrics, and provide potential cost savings. Professional Staff Hiring automates the process from the posting of the vacancy announcement through all Staffing actions (i.e., QuickHire processes, candidate selection, and Conditional Job Offer). The Hiring Process workflow includes sensitive personnel data (name, SSN, DOB, address, phone) collected through the FBI’s application process, currently Monster Government Solution’s QuickHire. The Support Hiring process also passes selected candidates to the Security Division for background investigation and then picks up candidates once they are favorably/unfavorably adjudicated by Security and takes them through the remainder of the hiring process (i.e., discontinuation of applicant or generation of the Appointment Letter, links to the SF-52 process). The hiring official, senior management and staffing specialists now can maintain full visibility of a candidate’s progress throughout the entire Professional Staff Hiring process.
5. Awards is an automated process to allow field and HQ staff the ability to enter, approve, and track metrics against awards given to FBI employees throughout the year. It sends daily actions to the National Finance Center; tracks each Division’s awards budget by showing the original budget, the obligated amount, the processed amount, and the new balance. It also allows for paperless transition of awards through the process including Equal Employment Opportunity and Office of Professional Responsibility checks. Throughout the process POC’s receive email updates on the status of their submission(s) and designated personnel will have the ability to run reports that will provide important metrics on submitted awards. Personally identifiable information (name, social security number, etc) are used in the Awards process so that the Award can be processed by the National Finance Center.
6. Automated Special Agent Promotion Process (ASAPP) is a process that automates the job posting, application, and selection for special agents and replaces the Job Posting Application subsystem of BPMS. It provides the user the ability to track the job posting process from searching, applying, and selecting for a job to the transferring to a new position. The user queries the system for jobs and applies to the posting online. The ASAPP process collects personally identifiable information for tracking the applicant through the process (name, SSN). Once submitted, the application is taken through several stages for verification. If an error is found, the application is sent back to the user for correction; otherwise, it is stored in a “queue” waiting for consideration. When a job posting is closed, the application goes through a selection process where it is rated and ranked by current Division Head and Local Career Board (LCB). Final posting selection(s) is made at a Special Agent Mid-Management Selection (SAMMS) Board meeting. When selection(s) is made, the system sends detailed email notification(s) to other applicants explaining reason for not being selected. It takes the selectee through the Transfer process. The automation of ASAPP represents a tremendous saving to the Bureau in terms of man hours spent to prepare for each SAMMS Board meeting, 1.2 million pieces of paper each year, and the reduction of errors and increase in accuracy of the user’s application(s).
7. The Transfers process allows the Human Resource Division Transfer Unit to initiate, approve, and disseminate transfer orders. All new transfer orders are forwarded automatically to the transferring employee via email once the orders are approved. This new process also provides an online mechanism for creating and processing obligation documents and related vouchers through the payment process. The Transfers process collects personally identifiable information related to employee data (name, SSN).
8. Clearance Processing System (CPS) is a process that includes data input, data edit, searching, tracking, and reporting functions in order to automate the background investigation process. It provides the user with the ability to directly import SF‑86 data via the FBI’s One Way Transfer (OWT) solution. OWT automatically transfers SF‑86 files, which originate at the Office of Personnel Management’s (OPM) Electronic Questionnaires for Investigations Processing (e‑QIP) system to the FBI’s Secret Enclave. CPS will retrieve the data residing on the file server; this process is part of the OWT. Once the SF‑86 data is received via the FBI OWT, CPS pushes data to the Case Assignment & Retrieval Sub‑System (CARS) database, the Background Investigation Document Sub‑System (BIDSS) database, the National Name Check Program (NCP), the Automated Case Support (ACS), and the Bureau Personnel Management System (BPMS) to assist the current CPS user community. The CPS process collects personally identifiable information related to the background investigation (name, SSN, DOB, address, phone).
9. The System Access Request process routes IT access related tasks for approval and implementation. Major purposes include creating computer accounts for new employees, adding or removing specific accesses, deactivating accounts for employees separating from the FBI, and requesting a name change update for Non‑bureau employees. The process collects personally identifiable information including name and social security number.
10. BPMU Issue Tracking System (BITS): The BITS process is an automated process that allows the BPMU to track all operations & maintenance requests and enhancement requests for improving EPAS and the processes within EPAS. The system is mainly used internally to prioritize tasks for the team and does not contain personally identifiable information.
11. Training Request and Budgeting System/ Travel Expense Enterprise (TRUSTEE): TRUSTEE process is designed to provide a seamless process of tracking training event requests and expenses from the point of submitting a training event request, through financial obligation and financial reconciliation. This system will allow the FBI to more effectively manage estimation of training costs by collecting information for every student and providing the ability to reconcile paid training vouchers versus the obligated amounts.
12. Automated Requisition Tool (ART): The ART process tracks the end to end requisition process at the FBI. It allows an end user to enter a requisition, then sends it through the approval chain (FD, IT, division) and finally to the Contracting Officer for processing. ART does not track PII beyond the names and phone numbers of the employees or vendors involved in the requisition process.
13. Self-Reporting Sub-Programs (SRSP): The SRSP automates the self-reporting forms that employees must submit to SecD to notify them of changes in marital status, roommates, foreign contacts, foreign travel, outside employment and general self-reporting. This process will allow employees to input their information, will send that information to the employee’s security officer, and then to SecD for processing. EPAS will push data from this process to the Case Assignment & Retrieval Sub-system (CARS). This process will contain personally identifiable information such as name, SSN, DOB, phone number, and address.
Appendix B: EPAS Privacy Notice
Enterprise Process Automation System (EPAS) is a workflow system designed to automate the review, routing, and approval of personnel, security, and financial forms and actions. EPAS will extract and store personally identifiable information from existing FBI records or from records that are available to the public.
Information is collected pursuant to 5 U.S.C 301 and 44 U.S.C. 3101, which pertain to the custody, use, and preservation of agency records; and Executive Order 9397, as amended by Executive Order 13478, which permits agencies to collect social security numbers for identification purposes. Completion of forms in EPAS is voluntary, but unless you provide the information, the FBI may be unable or unwilling to process the particular personnel, security, or financial application or request. These forms are maintained in the appropriate section of your personnel folder and copies may be maintained by a supervisor. These forms may be shared outside the FBI with appropriate officials and employees of a Federal, state, local or foreign agency or entity when the information is relevant to a decision concerning hiring, appointment or retention of an employee, issuance, renewal, suspension or revocation of a security clearance, execution of a suitability investigation or the issuance of a benefit. Forms may also be shared for other purposes compatible with the purpose for which the information was collected.
Appendix C: Quickhire and SF-86 Privacy Notices
Quickhire/Office of Personnel Management privacy policy
SF-86 (Privacy Act Routine Uses reprinted from page 2 of the form):
1. To the Department of Justice when: (a) the agency or any component thereof; or (b) any employee of the agency in his or her official capacity; or (c) any employee of the agency in his or her individual capacity where the Department of Justice has agreed to represent the employee; or (d) the United States Government, is a party to litigation or has interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by the Department of Justice is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.
2. To a court or adjudicative body in a proceeding when: (a) the agency or any component thereof; or (b) any employee of the agency in his or her official capacity; or (c) any employee of the agency in his or her individual capacity where the Department of Justice has agreed to represent the employee; or (d) the United States Government is a party to litigation or has interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.
3. Except as noted in Question 23 and 27, when a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute, particular program statute, regulation, rule, or order issued pursuant thereto, the relevant records may be disclosed to the appropriate Federal, foreign, State, local, tribal, or other public authority responsible for enforcing, investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order.
4. To any source or potential source from which information is requested in the course of an investigation concerning the hiring or retention of an employee or other personnel action, or the issuing or retention of a security clearance, contract, grant, license, or other benefit, to the extent necessary to identify the individual, inform the source of the nature and purpose of the investigation, and to identify the type of information requested.
5. To a Federal, State, local, foreign, tribal, or other public authority the fact that this system of records contains information relevant to the retention of an employee, or the retention of a security clearance, contract, license, grant, or other benefit. The other agency or licensing organization may then make a request supported by written consent of the individual for the entire record if it so chooses. No disclosure will be made unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another Federal agency for criminal, civil, administrative, personnel, or regulatory action.
6. To contractors, grantees, experts, consultants, or volunteers when necessary to perform a function or service related to this record for which they have been engaged. Such recipients shall be required to comply with the Privacy Act of 1974, as amended.
7. To the news media or the general public, factual information the disclosure of which would be in the public interest and which would not constitute an unwarranted invasion of personal privacy.
8. To a Federal, State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 or any successor order, applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders or directives.
9. To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained.
10. To the National Archives and Records Administration for records management inspections conducted under 44 U.S.C. 2904 and 2906.
11. To the Office of Management and Budget when necessary to the review of private relief legislation.