Privacy Impact Assessment Licensing Application Data Collection

United States Mint
Privacy Impact Assessment
Licensing Application Data Collection
Overview

The Licensing Application Data Collection (“the Collection”) is a highly manual process. The Office of Sales and Marketing’s Office of Licensing will obtain data through electronic mail, fax or non-electronic delivery (the United States mail). Note: Currently there is no facility nor is it currently contemplated that the system will allow direct upload for the collection of data through United States Mint web sites. While some of the information once collected, will be maintained on United States Mint information technology systems in the form of a spreadsheet on a network storage device (program officials’ H-drives), the data collection does not involve electronic databases or online components other than an non-interactive webpage, containing an email link to access a form that users will print out for mailing, e-mail or faxing to the Office of Licensing, United States Mint.

A. Contact Information

1. Who is the person completing this document?

Collaborative effort: United States Mints SBU/Offices: Office of Sales and Marketing (SAM), Office of Licensing; and Office of the Chief Information Officer (OCIO), Office of Information Security, Plans and Analysis Division/Records Management Division

2. Who is the System Owner?

Patrick McAfee, Manager, Office of Licensing, SAM

3. Who is the Program Manager for this system or application?

Cathy Laperle, Senior Licensing Specialist, Office of Licensing, SAM

4. Who is the Information System Security Manager who reviewed this document?

Terry Bartlett, Assistant Director, Office of Information Security

5. Who is the IT Reviewing Official?

Rene’ Smeraglia, Senior Risk Management Officer

6. Who is the Bureau Privacy Act Officer who reviewed this document?

Kathleen Saunders-Mitchell, United States Mint Disclosure Officer

B. System Application/General Information

1. Does this system contain any person information about individuals?

Yes. The system will contain personal information for individual applicants or sole proprietors of businesses. Information collected will contain their names, addresses, phone numbers, email addresses, and fax numbers, if any. Also, if any individual applicant or sole proprietor applies for a commercial product license, the system will contain Dun and Bradstreet (D&B report) information about the individual, and general company information for applicant and applicant’s agent that includes: contact name, address, business phone and fax number, business e-mail address, type of company, number of years in business and annual revenues from sales for company.

2. What is the purpose of the system/application?

The purpose of the Collection is for the United States Mint, Office of Licensing to review and access applications for licensing of the United States Mint trademarked and copyrighted material for business purposes. The information collected is voluntary and will be used internally by authorized United States Mint employees and contractors working for the United States Mint for the business purpose of evaluating applications for licenses. The intended use of the information is to:

  1. Properly evaluate the license application against established criteria to determine if a license is to be issued.
  2. To perform studies and statistical analyses.
  3. To maintain records of applicant data.
  4. To adequately respond to various types of inquiries.

3. What legal authority authorizes the purchase or development of this system/application?

This system was developed for internal use to monitor and track the applications received at the United States Mint requesting a license to use United States Mint trademark and copyright material. Our authority to ask for personal information comes from 31 U.S.C. §§ 5111, 5112, 5131, 5132 & 5136; 31 C.F.R. Part 92; and other Acts of Congress authorizing the sale of commemorative coins and medals.

C. Data in the System

1. What categories of individuals are covered in the system?

There are two types of categories covered in the system: 1) Commercial Product License Applications and 2) Non-product License Applications. Listed below is the data collected for each category.

Commercial Product License Applications

    1. General company information for applicant and applicant’s agent (name, address, phone and fax number, e-mail address, type of company, number of years in business, and annual revenue from sales)
    2. Applicant’s proposed and intended use of United States Mint owned/controlled intellectual property
    3. Financial information (projected sales forecast for proposed licensed product(s); proposed term of license agreement, royalty rate, royalty advance, minimum royalty guarantee, launch date, sales figures, insurance, credit rating, bank references and credit history)
    4. Manufacturing experience (manufacturing location (USA or other country); manufacturing completed in house or subcontracted; manufacturing timeline; and quality control policies)
    5. Licensing experience (previous licensee experience)
    6. Distribution channels (current and/or proposed channels of distribution)
    7. Advertising and Marketing Objectives (marketing and promotion plan; advertising budget)

Non-product License Applications

  1. General company information for applicant and applicant’s agent (name, address, phone and fax number, e-mail address, type of company, number of years in business, and annual revenue from sales)
  2. Applicant’s proposed and intended use of United States Mint owned/controlled intellectual property

2. What are the sources of the information in the system?

Application information received from applicants and for commercial product license applications, Dunn and Bradstreet (D&B) reporting information.

2a. Is the source of the information from the individual or is it taken from another source? If not directly from the individual, then what other source? For commercial product license applicants, a D&B report is run to verify the company standing and background. For applicants other than commercial product license applicants, and for commercial product license applicants if a D&B report is not available for the applicant, references are requested, and additional research via contacting the references may be necessary.

2b. What Federal agencies are providing data for use in the system? None.

2c. What State and/or local agencies are providing data for use in the system? None.

2d. From what other third party sources will data be collected? If necessary, references identified by the applicant may be contacted to validate application information.

2e. What information will be collected from the employee and the public? No information will be collected from employees. The types of information collected from public are addressed in Item 1 of this section.

3. Accuracy, Timeliness, and Reliability

3a. How will data collected from sources other than bureau records be verified? After information is received from applicants, Mint staff conducts due diligence by verifying company standing and background via D&B report and/or contacting references listed on application.

3b. How will data be checked for completeness? All applications are reviewed and accessed for completion. Applicants are contacted if necessary to verify the information received.

3c. Is the data current? What steps or procedures are taken to ensure the data is current and not out-of-date? Name of document (e.g. data models). For commercial product license applications, a D&B report is run upon receipt of the application and updated as necessary. Licensing decisions are made based on information collected during the pendency of the application process.

D. Attributes of the Data

1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed? Yes, the data collected for the internal system is necessary for its intended use of evaluating applications for licensing, to maintain records of applicant data, and to identify the status of applications in process to adequately respond to inquiries.

2. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected, and how will this be maintained and filed? Application data is manually combined with reference information and Dun and Bradstreet information (where collected) to create an application summary. Data is entered manually by authorized employees and contractors working for the United States Mint and will be maintained on a spreadsheet stored in a network storage device.

3. Will the new data be placed in the individual’s record? All information received on an applicant is stored in the applicant’s record, along with any information collected from prior applications by the same applicant.

4. Can the system make determinations about employees/public that would not be possible without the new data? No, the information is entered manually by authorized employees and contractors working on behalf of the United States Mint. Authorized United States Mint employees make the final determination for issuance of license.

5. How will the new data be verified for relevance and accuracy? New data is verified with the established controls used to validate information received.

6. If the data is being consolidated, what controls are in place to protect the data from unauthorized access or use? The information is provided to the Office of Licensing via standard mail, e-email or fax. Information about the applicant company may be obtained by the Office of Procurement and forwarded to the Office of Licensing for storage in paper form and (for e-mail) on workstation and network storage drives.

The data may include identifiable information about individuals in the form of printed forms, faxed copies of the forms and applicant email. The physical controls for access to the data include:

  1. A controlled-access government building
  2. Lockable cabinets for hard-copy information storage
  3. Controlled access storage for email (limited to authorized users)
  4. Storage of electronic data on network drives (limited to authorized users)

7. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Yes. If processes are consolidated in the future, the steps to ensure protection of the data will be tested and verified.

8. How will data be retrieved? Does a personal identifier retrieve the data? If yes, explain and list the identifiers that will be used to retrieve information on the individual. Information will be retrieved by company name or applicant agent listed on the application.

9. What kinds of report can be produced on individuals? What will be the use of these reports? Who will access them? Reports are prepared manually by project staff, and they may include status reports, project tracking reports, reports/briefings for the Director of the United States Mint, and reports referencing general licensing status. Reports may be made available to the United States Mint’s Deputy Director and Director, and to United States Mint employees and contractors in its Sales and Marketing, Chief Counsel, Manufacturing, and Public Affairs offices and other Strategic Business Units as deemed necessary. The primary purpose of these reports is to provide the status of any United States Mint pending or current license or licensing activity, for United States Mint decision-making and business planning purposes. Examples of information that may be included are the name of the potential or actual licensee, products under development, products sold under a license granted to the licensee, distribution channels, and pending, closed and active applications.

E. Maintenance and Administrative Controls

1. If the system is operated in more than one site, how will consistent use of the system and data be maintained in all sites? The internal system is used in one site (United States Mint, Washington D.C., Headquarters Office).

2. What are the retention periods of the data in this system? The system is being evaluated to establish proper maintenance and disposition of the records contained in the system. Information entered into the system will be maintained in the secured environment until approved disposition is identified in accordance with National Archives and Records Administration requirements.

3. What are the procedures for disposition of the data at the end of the retention period? How long will the reports produced be kept? Where are the procedures documented? The disposition data will be maintained in accordance with approved retentions. The internal ad hoc reports will be kept as long as necessary and in accordance with authorized disposition. The procedures for maintenance and disposition of the data will be identified in agency file plans.

4. Is the system using technologies in ways that the bureau/office has not previously employed (e.g. monitoring software, Smart Cards, Caller-ID)? No, currently none of the technologies listed are used to access or monitor the system.

5. How does the use of this technology affect public/employee privacy? Not applicable, see previous response.

6. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain. The system will be used to track the number and status of applications received at the United States Mint, requesting trademark and copyright licenses. It is intended to contain names, addresses, e-mail addresses and telephone numbers that will be used to contact individuals in connection with processing license applications. It is not intended to otherwise identify, locate or monitor individuals.

7. What kinds of information are collected as a function of monitoring of individuals? Not applicable. No information is collected in the system for monitoring individuals.

8. What controls will be used to prevent unauthorized monitoring? Data is secured in the following manner:

  1. Locked offline file cabinets
  2. H drive (network storage devices under access control, i.e., username/password required for access)
  3. Mail server (for e-mail responses, i.e. username/password required for access)
  4. Fax machine (temporary storage for duration of the temporary storage)

9. Under which Privacy Act system of records notice does the system operate? A system of records notice is being created under section 552a of Title 5 United States Code, and will be published in accordance with Privacy Act requirements.

10. If the system is being modified, will the Privacy Act system of records notice requirement amendment or revision? Explain. Not applicable, this is a new system as of the founding of the Office of Licensing.

F. Access to Data

1. Who will have access to the data in the system? (e.g., contractors, users, managers, system administrators, developers, others.) The individuals that will have access to the data will include authorized employees and contractors working for the United States Mint.

2. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented? Only authorized individuals performing the functions necessary for processing the data will have access to the system.

3. Will users have access to all data on the system or will the user’s access be restricted? Explain. Authorized users will have access to data applicable to the functions being performed for processing the data.

4. What controls are in place to prevent the misuse (e.g. unauthorized browsing of data by those having access? (Please list process and training materials). The Office of Licensing controls key access to the manual files. Also, see E.8.

5. Are the contractors involved with the design and development of the system and will they be involved with the maintenance of the system? If yes, were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed? Contractors will prepare and set up the web pages, and service the program office’s H-drives. Privacy Act contract clauses were inserted in their contracts and the contractors are aware of nondisclosure requirements.

6. Do other systems share data or have access to the data in the system? If yes, explain. No.

7. Who will be responsible for protecting the privacy rights of the public and employees affected by the interface? The program office and system owner will be responsible for assuring proper use of the data contained in the system.

8. Will other agencies share data or have access to the data in this system (e.g. Federal State, Local, and Others)? Parties to whom information may be disclosed, may include: (1) appropriate Federal, state, local or foreign agencies responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, or license; (2) a Federal, state, or local agencies, maintaining civil, criminal or other relevant enforcement information or other pertinent information, which has requested information relevant to or necessary to the requesting agency’s or the bureau’s hiring or retention of an employee, or issuance of security clearance, license, contract, grant or other benefit; (3) a court, magistrate, or administrative tribunal in the course of presenting evidence, including disclosures to opposing counsel or witnesses in the course of civil discovery, litigation, or settlement negotiations, in response to a court-ordered subpoena, or in connection with criminal law proceedings; (4) foreign governments in accordance with formal or informal international agreements; (5) a Congressional office in response to an inquiry made at the request of individuals to whom the record pertains; (6) the news media in accordance with guidelines contained in 28 CFR 50.2 which relate to an agency’s functions relating to civil and criminal proceedings; (7) third parties during the course of an investigation to the extent necessary to obtain information pertinent to the investigation; (8) accounting offices, managers, supervisors and government officials pertaining to cash receivables and debts owed the Government.

9. Who is responsible for assuring proper use of the data? The program office and system owner will be responsible for assuring proper use of the data contained in the system.

Updating the Privacy Impact Assessment

If requirements of manual storage of the paper-based and email-based information include collection into an electronic database in the future, a new privacy impact assessment will be conducted. Security controls for such a database and any application accessing the information would be reviewed by the Office of Information Security analyst assigned to this IT project to ensure that security controls are included in the design of the system’s application and database, and that security controls are properly configured, tested, documented, and implemented to safeguard information collected and stored in the system.

Supporting Documentation

The assessment conclusions in this report are based upon analysis and answers received to the questions outlined in this report from questions posed in the sensitivity assessment questionnaire, research conducted by the risk analyst reviewing and responding to report questions.

Conclusions

The proposed addition to the United States Mint Internet web site is a printable form to be used by members of the public interested in licensing United States Mint trademarked and copyrighted material for business purposes. Required information can be faxed, e-mailed or mailed to the Office of Sales and Marketing, Office of Licensing.

The data collected is process oriented and there will be minimal privacy impact on those from which personal information is taken. Note: Information collected in this process is protected throughout the life cycle of the system.

The Following Officials Have Approved this Document
1. System Owner

______________________________________________

(Signature)

Name:

Title:

2. Program Manager

______________________________________________

(Signature)

Name:

Title:

3. Information Systems Security Manager

______________________________________________

(Signature)

Name:

Title:

4. IT Reviewing Official

______________________________________________

(Signature)

Name:

Title:

5. Privacy Act Officer

_______________________________________________

(Signature)

Name:

Title:

Content last updated on