17
9.1 Describe the purpose(s) for which PII is collected, used, maintained, and shared as specified in
the relevant privacy notices.
The intended use of the PII in the system is to enable the Legal Division to track and fulfill FOIA/PA
requests filed by members of the public seeking access to nonpublic FDIC records, as well as requests
from individuals seeking access to or amendment of records about themselves, pursuant to the
Privacy Act of 1974.
FOIA Division/Office Coordinators may also run reports of their FOIA activity for their supervisors to
allow for appropriate supervisory oversight and exercise of delegated authority. These reports
generally include PII, such as the name of the requester, description of the request, results of the
request (denied, granted), date of request, etc. In addition, FOIA Division/Office Coordinators may
provide their supervisors with copies of records that are potentially responsive for review and
approval prior to release to ensure those records are accurate and responsive to the request.
The FOIA/PA Group provides notice of potentially sensitive FOIA requests to authorized staff within
the Legal Division and Executive Management for awareness of operational impacts. The notice
includes the name of the requester, description of the request, and the date the response is due. In
addition, Executive Management is typically provided copies of records that are potentially
responsive to sensitive requests for review and approval prior to release.
9.2 Describe how the information system or project uses personally identifiable information (PII)
internally only for the authorized purpose(s) identified in the Privacy Act and/or in public
notices? Who is responsible for assuring proper use of data in the information system or
project and, if applicable, for determining what data can be shared with other parties and
information systems? Have policies and procedures been established for this responsibility
and accountability? Explain.
Through the conduct, evaluation and review of privacy artifacts, the FDIC ensures that PII is only
used for authorized uses internally in accordance with the Privacy Act and FDIC Circular 1360.9
“Protecting Sensitive Information” with the use of various privacy controls. Additionally, annual
Information Security and Privacy Awareness Training is mandatory for all staff and contractors,
which includes information on rules and regulations regarding the sharing of PII with third parties.
The Legal Division’s FOIA Program Manager/Data Owner is responsible for the management and
oversight of the data. Additionally, an audit trail process captures actions performed on any of the
data objects. An application-specific Security Awareness Training and a Corporate Security
Awareness and Privacy Orientation, which includes Rules of Behavior, are mandatory trainings for all
users of the system to assure proper use of data. Additionally, FOIA/PA staff in the FDIC’s Legal
Division have User IDs and password-protected access to the records as necessary to prepare
responses to FOIA/PA requests and appeals and to prepare periodic reports, as required by law. The
FDIC notifies the public, including FOIA/PA requesters, and FOIA Mod system users about what
information is collected in the system, and how it is used and disclosed, through applicable system of
records notices that the FDIC has published in the Federal Register and posted online.
9.3 How is access to the data determined and by whom? Explain the criteria, procedures, security
requirements, controls, and responsibilities for granting access.
All authorized FDIC users who have access to data in the system must have the approval of the FOIA
Program Manager/Data Owner in the FDIC Legal Division before access is granted to the system.
Additionally, the system’s functional security limits a user’s access to specific functions and regulates
a user’s ability to update data for a specific function. All access granted is determined on a “need to
know” basis. Guidelines established in the Corporation’s Access Control Policies and Procedures
document are also followed. However, there is some risk that requesters may include sensitive
personal information about themselves, or about other individuals in their request, when filing their
access request. Similar risks are presented by entering data into the system’s responsive documents.
This information could then be compromised by unauthorized access or disclosure.