Download:
pdf |
pdfSmall Business Administration
409 3rd Street, S.W.
Washington, DC 20416
Office of Capital Access
Restaurant Revitalization Fund (RRF)
Platform
Privacy Impact Assessment
March 15, 2024
��PRIVACY IMPACT ASSESSMENT
OCA RRFP
A. CONTACT INFORMATION
1) Who is the person completing this document?Nirish Namilae
Technical Lead / ISSO
Office of Capital Access
Nirish.Namilae@sba.gov
2) Who is the Information System Security Manager?
Maurice Turner, Chief Security Policy and Compliance Branch
Office of the Chief Information Officer
Maurice.Turner@sba.gov
Who is the Senior Advisor who reviewed this document?
Stephen Kucharski, Senior Agency Official for Privacy (SAOP)
Office of the Chief Information Officer
Stephen.Kucharski@sba.gov
3) Who is the Privacy Reviewing Official on behalf of SAOP?
LaWanda Burnette
Chief Privacy /Officer
Office of the Chief Information Officer
LaWanda.Burnette@sba.gov
B. SYSTEM APPLICATION/GENERAL INFORMATION
The US Small Business Administration (SBA) requires the infrastructure and services to enable a
scalable grant application workflow and process to support 250k+ United States restaurants which
potentially will be applying for funding.
The RRF system enables users to apply for grants to the SBA through an Application Programming
Interface (API) and by an automated upload portal designed to provide robust automation, routing and
review capability with specific financial services domain level features allowing the organization to
route loan origination approvals, grant applications, forgiveness processing, or other related booking
and reviewing processing.
The technology has native support for ACH processing, schedule creation, Profile and User
Management, API access, and can scale to support up to 25,000 concurrent users and millions of RRF
grant applications with supporting documentation.
T
program in Support of the American Rescue Plan Act. The platform is provided in a Cloud-Hosted
environment, using a highly elastic AWS native and secure framework in FEDRAMP certified AWS
GOV Cloud
PAGE 3 OF 11
Controlled Unclassified Information
�PRIVACY IMPACT ASSESSMENT
OCA RRFP
1) Does this system contain any information about individuals? If yes, explain. (Please list the
PII variables and suggest validating via database schema if
Yes, this system contains grant application information as collected from individual applicants by the
security number/Employer Identification Number (EIN), banking information, name, and address as well
as other data elements required for a RRF grants.
a. Is the information about individual members of the public?
Yes, information is collected on members of the public that apply for SBA RRF grants.
b. Is the information about employees? (If specific categories of employees please
indicate)
Employee information is NOT requested unless it is the applicant themselves.
2) What is the purpose of the system/application?
The U.S. Small Business Administration (SBA) awarded funding through the Restaurant
Revitalization Program to restaurants, bars, and other similar places of business that serve food or
drink. Since the program has grant program ended, the current purpose of this program is to provide
support audits and post award litigation of grants to eligible entities that suffered revenue losses
related to the COVID-19 pandemic.
On March 11, 2021, the American Rescue Plan Act (ARPA) became public law (P.L. 117-2). Section
5003 established the Restaurant Revitalization Fund (Fund), and appropriated $28.6 billion for SBA
to award funds.
Given the intent of the American Rescue Plan Act (ARPA) to provide expeditious relief to
the restaurant industry during these urgent circumstances, through broad accessibility to grants. RRFP
automates application intake, verification, and approval services as required by the ARPA.
3) Is the system in the development process?
No, system is in production.
4) How will the technology investment (new or updated) affect existing privacy processes?
The
5) What legal authority authorizes the purchase or development of this system/application?
(Statute, Executive Orders, etc.)
Public Law 85-536, 15 U.S.C 631 et seq. (Small Business Act, all provisions relating to loan
programs, Public Law 85-699 as amended 15 U.S.C. 661 et seq (Small Business Investment Act of
1958, all provisions relating to loan programs), and American Rescue Plan Act (ARPA) public law
(P.L. 117-2). Section 5003.
PAGE 4 OF 11
Controlled Unclassified Information
���PRIVACY IMPACT ASSESSMENT
OCA RRFP
D. DATA ATTRIBUTES
1) Is the use of the data both relevant and necessary to the purpose for which the system is
being designed?
Yes, the data collected is used to manage the RRF grant process as defined in the American
Rescue Plan Act (ARPA) public law (P.L. 117-2). Section 5003.
2) Will the system derive new data or create previously unavailable data about an individual
through aggregation from the information collected, and how will this be maintained and
filed?
No, the system will not derive new data nor will it create previously unavailable data.
3)
N/A
4) Can the system make determinations about employees or members of the public that would
not be possible without the new data?
N/A
5) How is the new data verified for relevance, timeliness and accuracy?
N/A
6) If the data is being consolidated, what controls are in place to protect the data from
unauthorized access or use?
N/A
7) If processes are being consolidated, are the proper controls remaining in place to protect
the data and prevent unauthorized access? If process is not be consolidated please state,
N/A
8) How will the data be retrieved? Does a personal identifier retrieve the data? If yes, explain
and list the identifiers that will be used to retrieve information on the individual.
Data can be retrieved by the loan/grant number and/or social security number/EIN
9) What kinds of reports can be produced on individuals? What will be the use of these
reports? Who will have access to them?
Reports can be produced on the records of individuals to respond to inquiries which
comply with FOIA and Privacy Act requirements. Access is restricted to Program
complies with FOIA and Privacy Act guidelines.
PAGE 7 OF 11
Controlled Unclassified Information
��PRIVACY IMPACT ASSESSMENT
OCA RRFP
Records maintained as part of the General Records Schedules (GRS) are disposed of in
accordance with applicable SBA policies.
4) Is the system using technologies in ways that the SBA has not previously employed (e.g.,
monitoring software, Smart Cards, Caller-ID)?
No
5) How does the use of this technology affect public/employee privacy?
N/A
6) Will this system provide the capability to identify, locate, and monitor individuals? If yes,
explain.
N/A
7) What kinds of information are collected as a function of the monitoring of individuals?
N/A
8) What controls will be used to prevent unauthorized monitoring?
Risks to unauthorized monitoring of privacy data were identified and broken into three major
categories, with associated mitigating strategies identified in the table below.
Potential Risk
Loss of data confidentiality
Loss of data integrity
Loss of data availability
Mitigating Strategy
Access control
Incremental and full backups
Contingency Planning
9) Under which Privacy Act systems of records notice (SORN) does the system operate?
Provide number and name.
The SORN are SBA 20 and 21
10) If the system is being modified, will the Privacy Act system of records notice require
amendment or revision?
N/A
F. DATA ACCESS
1) Who will have access to the data in the system? (e.g., contractors, users, managers, system
administrators, developers, tribes, other)
RRFP data is accessed by SBA personnel that support RRF grant application process. Data can be
accessed by contractors, system administrators, and developers who support the system.
-of-Sale (POS) Restaurant Partners can access the
applications originated by them via APIs. Applicants can access their application data.
PAGE 9 OF 11
Controlled Unclassified Information
�PRIVACY IMPACT ASSESSMENT
OCA RRFP
2) How is access to the data by a user determined? Are criteria, procedures, controls, and
responsibilities regarding access documented?
Access to data is determined by Agency Security Roles and Procedures/Controls. Access
is limited by control assignment of a responsibility profile to all users. Each responsibility
comes with a pre-determined set of privileges, limiting data that may be viewed to those screens
and reports that are within the duties and needs of the user. The servicing centers have
documented procedures and controls to ensure that employees
have access to perform assigned duties.
access be restricted?
3)
Explain.
Access is limited by controlled assignment of a responsibility profile to all users. Each
responsibility comes with a pre-determined set of privileges, limiting data that may be
viewed to those screens and reports that are within the duties and needs of the user.
4) What controls are in place to prevent the misuse (e.g., unauthorized browsing) of data by
those having access? (Please list processes and training materials)
SBA has implemented security roles and procedures to prevent misuse of information.
Access is limited by control assignment of a responsibility profile to all users. Each
responsibility comes with a pre-determined set of privileges, limiting data that may be
viewed to those screens and reports that are within the duties and needs of the user.
System audit trails can be used to document suspicious or irregular log-ons and
navigation of the system. Agency network log-on procedures mandate a posted
Warning Banner be viewed and acknowledged prior to entry. SBA Privacy Act of System
Records
SBA 20 and SBA 21 define routine uses of this information and serve as control by
defining acceptable uses. Access to information is limited to only those with a need to
know the information.
Mandatory information security and privacy training is required by all employees to
include contractors in accordance with agency policy. This training also includes Rules
of Behavior for employees and contractors working on behalf of SBA.
Each contractor must sign a non-disclosure agreement. In addition, the contract clauses
are inserted in their contracts to address regulatory measures relating to security.
5) Are contractors involved with the design and development of the system and will they be
involved with the maintenance of the system? If yes, were Privacy Act contract clauses
inserted in their contracts and other regulatory measures addressed?
Yes. Privacy Act clauses are in the contract.
6) Do other systems share data or have access to the data in the system? If yes, explain.
Other systems do not have ingress access to RRFP data.
PAGE 10 OF 11
Controlled Unclassified Information
��
| File Type | application/pdf |
| File Modified | 2025-04-09 |
| File Created | 2025-01-30 |