Denver Tour Reservation System Privacy Impact Assessment

Introduction

1. Name of System: United States Mint Denver Public Tour and Outreach Reservation System

2. Purpose of the System

Introduction: The United States Mint (sometimes referred to as the “Bureau”) offers guided public tours of the United States Mint at Denver (“Tour(s)”). The Bureau also offers groups (such as schools, coin clubs, civic groups, scouts and organizations for persons with special requirements who may be unable to travel to the facility) the opportunity to request a visit and presentation by Bureau staff covering the Bureau’s history, mission and coin making process, provided these groups meet certain size and location criteria: audiences of a minimum of 50 persons if within the Denver metropolitan area and a minimum of 100 if up to a 2-hour drive from the Denver facility. (“Outreach Program(s)”). Both Tours and Outreach Programs require advance reservations. Walk-in Tours are only available at this facility if sufficient space is available due to cancellations or other absence of scheduled Tours. Public tours of the Philadelphia facility and nonpublic tours where permitted at the facilities are handled in a different manner and are not covered by this assessment. The United States Mint’s other facilities (San Francisco, West Point and Fort Knox) do not offer public tours at this time, and the Bureau does not currently offer educational outreach programs to communities other than locations in the greater Denver metropolitan area.

Currently, arrangements for Tours of the Denver facility and Outreach Programs may be made by phone, fax, email and (for smaller tours only) through an online form, and are managed by the Bureau in a manner similar to other general correspondence. The Denver facility is proposing to upgrade the current process by launching the Denver Mint Public Tour and Outreach Reservation System, which would serve to improve the methods currently used to request, schedule and manage these arrangements, and allow the Bureau enhanced ability to contact individuals making arrangements when it is necessary for the Bureau to reschedule or cancel. (“Upgrade”).

There is a recommended minimum age of 7 years old for all Tours. Both under the current regime and after the planned Upgrade, arrangement methods and services for Tours differ based on whether the touring group is 15 or fewer persons (“Small Tour(s)”), or 16 or more persons (“Group Tour(s)”). In addition to information the United States Mint may collect for Tours or Outreach Programs, under both the current and upgraded regimes, the Bureau also sends an optional customer satisfaction survey invitation containing a link to the survey to the email address provided by the individual who makes the arrangements (the “Requester”). The Bureau sends this email directly and does not share the Requester’s email address with the survey provider.

3. Will the system be (or is it now) a Major Information system?

Before and after the Upgrade, the system is considered a minor paper and electronic system that will include a web-based application after the Upgrade, when it will provide limited online access for submitting requests for Small Tours, and will make online forms for Group Tours and Outreach Programs available for download, completion and submission by fax or email. In connection with Tours and Outreach Programs, the Bureau will collect and store limited individually-identifying information to be used for arranging, scheduling and providing requested services.

4. Under which SORN(s) does the system/application operate, if any? Provide names(s) and number(s).

The current reservation system operates under United States Mint .007, General Correspondence. The United States Mint expects to file a new SORN in the Federal Register to cover the expanded electronic system.

A. Contact Information

1. Who is the person(s) completing this document?

  • Diane Malcom, Project Management Specialist, Sales and Marketing Department, Web Team, (202) 354-7512, dmalcom@usmint.treas.gov.
  • Jennifer Debroekert, Supervisory Public Affairs Specialist. United States Mint Denver facility, jdebroekert@usmint.treas.gov, (303) 405-4916

2. Who is the system developer/analyst? The United States Mint Office of Corporate Communications developed the current system and the post-Upgrade system requirements. Electronic features of the system were implemented by Lockheed Martin pursuant to its contract with the United States Mint

3. Who is the system owner? Jennifer Debroekert, Supervisory Public Affairs Specialist. United States Mint Denver facility, jdebroekert@usmint.treas.gov, (303) 405-4916

4. Who is the system manager? Diane Malcom, Project Management Specialist, Sales and Marketing Department, Web Team, (202) 354-7512, dmalcom@usmint.treas.gov

5. Who is the Information Systems Security Manager who reviewed this document? Ray Hardy, Division Chief, Information Security, Chief Information Security Officer Information Security Officer, Information Technology Department, (202) 354-7569, rhardy@usmint.treas.gov.

6. Who is the Bureau Privacy Act Officer who reviewed this document? Kathleen Saunders-Mitchell, Chief Counsel Office, Disclosure Office, (202) 354-6788, KSaunders-Mitchell@usmint.treas.gov.

7. Who is the IT Reviewing Official? Ray Hardy, Division Chief, Information Security, Chief Privacy Officer, Information Technology Department, (202) 354-7569, rhardy@usmint.treas.gov

B. System Application/General Information:

1. Does this system contain any personal information about individuals?
Yes.

2. What legal authority authorizes the purchase or development of this system/application? (List statutory provisions or Executive Orders that authorize the maintenance of this information to meet an official program mission/goal.)
31 U.S.C. 5131; 31 U.S.C. 5136.

3. How is privacy addressed in documentation related to system development, including statement of need, functional requirements analysis, alternatives analysis, feasibility analysis, benefits/cost analysis, and especially the initial risk assessment?
The Non-Commerce Software Operations Web-Ops System Design documents identifies functional requirements analysis, the Web-based System Administrator’s Guide, User Guide, Non-Commerce Software Operations and Denver Mint Tour Reservation System Business Rules identify access privileges and roles for designated personnel, administrators, and users for the Tour Reservation System.

C. Data in the System:

1. What categories of individuals are covered in the system?

  • Requesters (as noted in section of the Introduction above) are individuals who may be members of the public or employees who contact the United States Mint at Denver and make arrangements for Tours or Outreach Programs. This category may include Requesters who self-identify as having special requirements.
  • Individual members of the public or employees whose names or descriptions may be volunteered by Requesters as intended Tour or Outreach Program participants in the course of making arrangements for Tours or Outreach Programs, even though this information is not required. This category may include persons described as having special requirements, including those that may prompt requests for accommodations, although names or other personally-identifying information provided by Requesters regarding participants having special requirements are not solicited by the United States Mint. Information on these individuals may be stored because it appears on a submitted form or is needed to make arrangements to address special requirements.

2. What are the sources of the information in the system?

Information in the system, including individually-identifying information submitted to the United States Mint Denver facility, is currently (and after the Upgrade is expected to be) obtained from Requesters, or from persons responding to United States Mint communications in connection with scheduling made to email addresses or numbers provided by Requesters.

2a. Is the source of the information collected directly from the individual or is it taken from another source? If not directly from the individual, then from what other sources could the information come?

Reservation and individually-identifying information such as point-of-contact name, phone, address, fax and email address is currently (and after Upgrade is expected to be) collected directly from Requesters.

However, currently and after the upgrade, Requesters also may provide information concerning individuals with special requirements who may be included among Tour or Outreach Program participants, with or without personally-identifying information concerning such persons. The Bureau does not (currently or after the Upgrade) collect names or other personally-identifying information concerning individuals with disabilities or other special requirements who may intend to participate in Tours or Outreach Programs, except in cases where the Requester volunteers this information or self-identifies as the person with the disability or other special requirement.

Both currently and post-Upgrade, other information (for example concerning scheduling) may be obtained by the Bureau from persons responding to United States Mint communications made to email addresses or telephone numbers provided by the Requester.

2b. What Federal agencies, if any, are providing data for use in the system?

None.

2c. What State and/or local agencies, tribal governments, foreign governments or international organizations, if any, are providing data for use in the system?

None

2d. From what other third party sources will data be collected, if any?

None.

2e. What information will be collected from employees? And what will be collected from the public? (e.g., social security numbers, addresses, telephone numbers, badge numbers, user identifiers, credit card numbers, etc.)

Information collected from the public (which may include employees):

  • For Small Tours: Required information currently collected includes: Number of tour participants; preferred date time frame (no later than 30 days from the date the reservation is attempted); selected date and time from among those offered by the system calendar; email address for Requester or other group point of contact. Optional information currently collected may include names or other personal information volunteered by a Requester registering by phone or contacting the Bureau to discuss special requirements of participants, which could include personal information concerning a third party. The United States Mint does not currently store or use this information in the confirmation process for these Tours. After the Upgrade, for Small Tours the online reservation page will require the first and last name of the Requester and a telephone number, in addition to the email address and scheduling information.
  • For Group Tours: Required information currently collected includes: Name, email address, fax number or postal address, and telephone number for Requester or other group point of contact; group or school name; number of tour participants; three choices of preferred dates and times from those provided on the Bureau’s reservation form; description of group and areas of interest; and age ranges or grades (but not names of participants). Optional information currently collected may include participant names other than the Requester’s or other personal information volunteered by Requester in special requirements or comments/concerns fields of reservation form or by phone, which could include personal information concerning a third party. After the Upgrade, required and optional information collected for Group Tours is not expected to change.
  • For Outreach Programs: Required information currently collected includes: Requester name, fax, phone, email; postal address/location; how the Requester heard of the program; group/school name; group age range/grade level (but not names of participants). Three choices of preferred dates and times from those provided on the Bureau’s reservation form. Optional information currently collected may include participant names other than the Requester’s or other personal information volunteered by Requester in special requirements or comments/concerns fields of reservation form or by phone or additional topics Requester asks to be covered in a presentation, and could include personal information volunteered by Requester about a third party, such as a group member. After the Upgrade, required and optional information collected for Outreach Programs is not expected to change.

3. Accuracy, Timeliness, and Reliability

3a. How is data collected from sources other than from bureau records going to be verified for accuracy?

Information collected is verified through confirmation communications with the Requester.

3b. Is completeness required?

Yes.

3c. How will data be checked for completeness?

Data will be checked during the confirmation process. Additional confirmation communications with Requesters will be added after the Upgrade to provide further verification of scheduled events and group size and composition. Tours and Outreach Programs cannot be scheduled without complete information.

3d. Is the data current?

Yes The Tour and Outreach Program reservation processes are inherently short-term, and Tours may not be reserved more than one month in advance. Data is as current as provided by the individual who provides it.

What procedures will ensure this? We use the confirmation process to validate the accuracy of contact and scheduling information.

3e. Are the data elements described in detail and documented?

Yes

If yes, what is the name of the document?

United States Mint System Design Non-Commerce Software Operations — Web Ops

4. What opportunities do individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of information (other than required or authorized uses)?

Please see Section C 2e for required and optional information collected.

Requesting Tours or Outreach Programs is entirely voluntary. Responding to survey invitations is entirely voluntary. Providing information on comments, concerns or special requirements for participants, including requesters, is also voluntary. Additionally, providing comments, concerns or indications of special requirements of parties other than the Requester do not require personally identifying information. However, if an individual chooses not to provide the minimal information required to reserve, confirm and schedule the Tour or Outreach Program, the United States Mint will not be able to process the request and the requested Tour or Outreach Program will not be available.

Information collected in connection with requests for Tours and Outreach Programs is retained and used by the United States Mint for purposes of scheduling, confirming, planning and in some cases cancelling or rescheduling the requested activities, and for system security. Aggregate non-identifying information (such as volume of visitors or group size) may be included in reports for administrative purposes. Individually-identifying information collected in connection with Tours or Outreach Programs is not used for marketing or other purposes unless such services are separately and expressly requested outside of the system by an individual who is of appropriate age to do so.

5. In what ways will individuals be able to indicate their consent to various uses of their information?

Required information is indicated as such on the form or by the Bureau staff via other means of communication when the Requester requests a Tour or Outreach Program. Survey invitations are sent automatically, but Requesters choose whether or not to respond and complete surveys once delivered.

D. Attributes of the Data:

1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed? Why?

Required information is minimal and relevant to proper scheduling and management of Tour and Outreach Program activities. It is necessary to allow the United States Mint to work with the Requester to schedule, confirm, plan and manage arrangements for Tours and Outreach Programs, understand interests and needs of Tour participants and Outreach Program audiences, and manage visitor volume, interests, and safety. It also provides contact information in case events arise that necessitate changes in scheduling.

Survey responses do not request personally identifying information, and raw data from responses are not collected or stored by the United States Mint and do not appear in the system. Surveys allow the participating public to provide needed feedback to the government, and can provide the Bureau with information to allow continuous improvement of Tour and Outreach Program services.

2. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected, and how will this be maintained and filed?

The system does not and will not derive new data and there is no aggregation of information. While a Requester may volunteer areas of special interests or requirements as part of the original registration process, this information is used by program staff in connection with requested services, and is not combined with any other personally-identifying information stored by the Bureau.

3. Will the new data be placed in the individual’s record?

Not applicable.

4. Can the system make determinations about employees/public that would not be possible without the new data?

Not applicable.

5. How will the new data be verified for relevance and accuracy?

Not applicable

a. Are the records in the system all maintained for the same purpose? Do the records in this system share the same security requirements?

Yes. The records all allow contact, scheduling and management of certain reservation–requiring services provided by the Bureau’s Denver Office of Corporate Communications.

b. Will the records in the system share the same Routine Uses?

Yes

6. If the data is being consolidated, what safeguards and controls are in place to protect the data from unauthorized access or use?

No data is being consolidated.

7. How will the data be retrieved? Does a personal identifier retrieve the data? If yes, explain and list the identifiers that will be used to retrieve information on the individual.

The data in the system is currently stored in paper records by event date and Requester name, and in electronic email files. It may be retrieved from those electronic email files by calendar event date, correspondent name, correspondence date and correspondence subject. Data in the system after the Upgrade is expected to be able to be retrieved by the assigned confirmation number, Requester name, and date of scheduled Tour or Outreach Program.

8. What kinds of reports can be produced on individuals? What will be the use of these reports? Who will have access to these reports?

Aggregate non-identifying information (such as volume of visitors or group size) may be included in reports prepared for administrative purposes and shared with program staff and managers. Reports that identify individuals may include a report containing the personal information of the Requester (individual first name, last name, telephone number, and email address), the confirmation number, date and time of planned Tour or Outreach Program, and any special requirements provided with the request to the extent they pertain to the Requester. These reports will be used to contact the Requester in connection with confirming, arranging and any necessary cancellation or other rescheduling of a Tour or Outreach Program. Only United States Mint personnel with authorized access to system records or a need to know to perform official duties will have access to reports containing personally-identifying information. Authorized United States Mint personnel may pull and access reports from our survey service provider containing aggregate voluntary survey responses that do not contain confirmation numbers, names or email addresses. These reports will be used to improve services offered by the Denver facility.

E. Maintenance and Administrative Controls:

1. If the system is operated in more than one site, how will consistent use of the system and data base be maintained in all sites?

Both currently and following the Upgrade, Tours and Outreach Programs addressed in this assessment are operated and managed centrally at the United States Mint facility at Denver, and standard operating procedures are in place to consistently manage creation and maintenance of records. Currently, paper records and electronic records are created and stored at one site, the United States Mint Denver facility. Following the Upgrade, paper records may continue to be stored at the Denver facility, with electronic records stored both at the Denver facility and at servers serving the Headquarters facility. Reports have been and are expected to continue to be shared with Bureau personnel with a need to know the contents to perform official duties.

2. What are the retention periods of the data in this system? (Note: This question will be completed by the Records Management Officer.)

Data is retained and preserved or destroyed in accordance with NARA schedules for the categories of data in the system and for system security backup data. Data is retained in a form accessible by program staff for more limited periods:

  • Small Tours: Currently, email addresses and other personal or other information provided voluntarily are not stored after the confirmation and survey emails are sent. To allow the Bureau to contact these Requesters about closures or other situations requiring rescheduling or cancellation, after the Upgrade the system will associate and store the Requester’s name, phone, and email address with the Tour confirmation number. All paper and electronic Requester and Tour information accessible to program staff will be stored for 15 days after a Tour and then destroyed.
  • Group Tours: Currently, Requester and Tour information are associated with the Tour confirmation number and stored. Storage includes electronic records and paper files. Email addresses, names and phone numbers and other personal required and voluntarily-provided information are stored together with the Tour confirmation number in electronic records with other emails, and with paper records until 15 days after the Tour, and are then destroyed. After the Upgrade, all paper and electronic Requester and Tour information accessible to program staff will be retained for 15 days after a Tour and then destroyed.
  • Outreach Programs: Currently, Requester and Outreach Program information are associated with the confirmation number and stored, and information provided for Outreach requests is stored electronically. Storage includes electronic records and paper files. Email addresses, names and phone numbers and other required personal required information and other voluntarily-provided information are stored together with the Outreach Program confirmation number in electronic records with other emails (and paper information is stored with paper records) until after the Outreach Program presentation, and are then destroyed. After the Upgrade, all paper and electronic Requester and Outreach Program information accessible to program staff will be retained for 15 days after a program is conducted and then destroyed.

Disposition: Temporary. Destroy immediately, or when no longer needed for reference, or according to a predetermined time period or business rule (e.g., implementing the auto-delete feature of electronic mail systems).

  • Electronic (e-mail) request delete 45 day after initial request is completed.
  • Hard copy (faxed) request destroy 45 day after initial request is completed.

3. What are the procedures for disposition of the data at the end of the retention period? (Note: This question will be completed by the Records Management Officer.)

See. E.2 above.

4. Is the system using technologies in ways not previously employed (e.g., monitoring software, Smart Cards, cookies/tracking, Caller ID, migration of paper records)?

The upgrade will use technologies to allow requesters to directly access registration forms and enable to Bureau to obtain, store and retrieve a broader collection of contact information, permitting the United States Mint to contact Requesters to reschedule or cancel Tours and Outreach Programs.

5. How does the use of this technology affect public/employee privacy?

It will request personally-identifying information from individuals requesting Small Tours in addition to those requesting Group Tours to allow for contact by the United States Mint for scheduling purposes.

6. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

The system is and will be capable of providing the Bureau information concerning the location of Group Tour and Outreach Program Requesters, and some information about the location of the place in which an Outreach Program is requested to take place. Except for maintaining awareness of Tour participants while Tours are underway, both currently and after the Upgrade, the United States Mint does not monitor individuals in connection with Tours or Outreach Programs.

7. What kinds of information are collected as a function of the monitoring of individuals?

Not applicable.

8. What controls will be used to prevent unauthorized monitoring?

Any location information collected is and will be used in accordance with standard operating procedures to provide requested services. Access to the system and information in paper and electronic records is “role-based least- privilege access to perform job activities”. Authorized users receive United States Mint Cyber Security Awareness training, Privacy Awareness training and Rules of Behavior for IT Systems and Devices; and must possess security clearances required for access to United States Mint network, applications and systems.

If the system is web-based, does it contemplate use of persistent cookies or other tracking devices? No.

9. If the system is being modified, will the Privacy Act System of Records Notice require amendment or revision? Explain.

A new System of Record Notice is expected to be completed.

F. Access to Data:

1. Who will have access to the data in the system? (e.g., users, managers, contractors, others) Will those with access to the data have appropriate training and security clearances to handle the sensitivity of the information?

United States Mint authorized users have access to the current and Upgrade system and its data on a “role-based least- privilege access to perform job activities” basis. Users will include bureau Denver and Headquarters Office of Corporate Communications personnel, and contractors operating in various locations supporting system operation and maintenance. Authorized users receive United States Mint Cyber Security Awareness training, Privacy Awareness training and are required to sign Rules of Behavior for IT Systems and Devices. They also must possess security clearances required for access to United States Mint network, applications and systems. See F.2. below for access by other than United States Mint users.

2. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?

For United States Mint users, see response to F.1 above. Procedures are documented in applicable Standard Operating Procedures.

  • Requesters for Small Tours may currently initiate their registrations online through the existing limited web interface. They cannot access or modify their information directly, but may cancel by clicking the “cancel your tour” link in their confirmation email and proceeding to a tour cancellation confirmation page. To modify a reservation, they must cancel and then submit a new request with new information, or telephone the Bureau with their confirmation number to modify. The Upgrade will provide them with a limited ability to cancel existing appointments by clicking on links in reminder emails sent to the email address they provide at the time they make their reservation, but otherwise the United States Mint does not expect to provide Requesters with direct access to their system data.
  • Both currently and post Upgrade, Group Tour and Outreach Program Requesters cannot access or modify their information directly. To cancel or modify a reservation, they must telephone the Bureau to request a change.

3. Will users have access to all data on the system or will the user’s access be restricted? Explain.

See F.2 above for Requesters’ access. Authorized United States Mint employee and contractor users with role- based least- privilege access will have specified access only to data necessary to perform job activities. Certain authorized personnel will have access to all data in the system.

4. What controls are in place to prevent the misuse (e.g., unauthorized browsing) of data by those having access? (Please list controls, processes and training materials)

Authorization protocols restrict Bureau user access to authorized users based on their roles, and only provides the least amount of privilege necessary for the user to perform job activities. The level of access is tied to and requires authentication of username and password. The system administrator’s Guide identifies user roles and access privileges.

United States Mint users include employees and contractor personnel that must complete annual mandatory Cyber Security Awareness Training, Privacy Awareness Training and read and agree to the United States Mint User Rules of Behavior for Information Technology Systems and Devices prior to any network and system access.

5. Are contractors involved in the design and development of the system and will they be involved with the maintenance of the system? If yes, were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed?

Contractors are involved with the design, development, and maintenance of the system. Individual contractor employees sign non-disclosure agreements in accordance with the requirements of their employers’ contracts with the United States Mint.

6. Do other systems share data or have access to the data in this system? If yes, explain.

No.

7. Who will be responsible for protecting the privacy rights of the public and employees affected by the interface?

The United States Mint, Office of Corporate Communications, the system owner, along with system administrators and information security staff in the Bureau’s Information Technology Department/Office of the Chief Information Officer are responsible for protecting the privacy rights and data security of the public and employees whose information is in the system, and for ensuring proper management and use of the data contained in the system.

8. Will other agencies share data or have access to the data in this system (Federal, State, Local, Other)? If yes, explain.

No.

9. How will data be used by the other agency(s)?

Not applicable.

10. Who is responsible for assuring proper use of the data?

The United States Mint, Office of Corporate Communications with support by system administrators will be responsible the management of the data in the system.

Content last updated on

A list of linkable tags for topics mentioned on this page.

Tags: