eMail Enterprise Records Document Management System (eERDMS)
Privacy Impact Assessment
12
ECA/AECA do not have an automated retention functionality. Since ECA/AECA are used for
document production purposes all records contained in these systems are considered copies of
the original and need to be maintained for as long as the Congressional inquiry, FOIA request,
litigation, or other oversight request remains active.
F. Briefly describe privacy risks and how information handling practices at each stage of the
“information lifecycle” (i.e., collection, use, retention, processing, disclosure and
destruction) affect individual privacy.
eERDMS primary privacy risks include unauthorized access, unauthorized disclosure and misuse
of the data in the system. These risks are addressed and mitigated through a variety of
administrative and logical security controls. When retrieving data all requests go through an
audit request form process with management approvals that ensure the searches are within
appropriate need and scope.
User access is granted only to authorized individuals by system administrators, and users are
granted access only to the data sets needed in order to perform their job duties; data set access is
also governed and limited by each user’s email domain. Only authorized users are provided
access to eERDMS using single sign-on and validated through the DOI Active Directory.
Administrative access to EES, ECS, and ECA/AECA is granted only to authorized personnel on
an official need-to-know basis. Unique administrator identification and authentication, least
privileges and audit logs are utilized to ensure appropriate permissions and access levels. In
many cases, administrators can be granted adequate rights to fulfill their duties without being
given access to data in the system.
All users of DOI network resources, including contractors, must consent to rules of behavior and
take annual end-user security, privacy and records training in order to obtain access to any DOI
network resource. EES, ECS, and ECA/AECA administrators are also required to take computer
security and privacy role-based training.
EES, ECS, ECA, and AECA have a hierarchical administration consisting of a Lead
Administrator, and multiple Support Administrators who supervise administrators at the
Department level, as well as DOI bureaus and offices. Bureau and Office Records Officers are
responsible for controlling and monitoring access of authorized records staff who are given
access to data for their Bureau or Office. Bureau/Office Administrators and authorized
employees are only granted access to documents and data in EES, ECS, ECA, and AECA to the
extent it is necessary for the performance of their job duties. Access procedures are further
described in the eERDMS System Authorization and Accreditation (A&A) documentation and
the system security plan.
Audit logs, access level restrictions, and least privileges are used to ensure users have access
only to the data they are authorized to view, which serves as a control on unauthorized
monitoring. In addition, firewalls and network security arrangements are built into the
architecture of the system, and NIST guidelines and Departmental policies are implemented to
ensure system and data security. System administrators will review the activities of the users to
ensure that the system is not improperly used, including for unauthorized monitoring.