CIA relies on reliable, repeatable, and comparable data to, among other purposes, inform decisions and track progress in achieving CIA priorities. This data, which the CIA refers to as “business data,” is captured by, or created from the use and operations of, CIA facilities, IT systems, and applications in the normal course of CIA activities and processes. The CIA's collection, curation, exploration, and objective analysis of business data has proven significantly beneficial to the CIA. For example, business data has allowed CIA leadership to recommend adjustments to CIA resource allocations, develop applications to assist the CIA workforce in completing their administrative responsibilities, and generate statistical information to inform CIA leadership decision-making on its business needs.
The CIA proposes a new System of Record Notice, CIA-44 Business Analytics Records, to further enable its business data analytic activities and identify opportunities for efficiencies in Agency services, tools, reports, properties, and facilities.
Nothing in the new SORN indicates any change in the Agency's authorities or practices regarding the collection and maintenance of information about citizens and lawful permanent residents of the United States, nor does the new SORN change any individual's rights to access or to amend their records in accordance with the Privacy Act.
In accordance with 5 U.S.C. 552a(r), the Agency has provided a report to OMB and Congress on the new system of records.
Dated: November 4, 2024.
Mark Mouser,
Privacy and Civil Liberties Officer, Central Intelligence Agency.
PRIVACY ACT SYSTEM OF RECORDS NOTICE CIA-44
SYSTEM NAME AND NUMBER:
Business Analytics Records (CIA-44)
SECURITY CLASSIFICATION:
The classification of records in this system can range from UNCLASSIFIED to TOP SECRET.
SYSTEM LOCATION:
Central Intelligence Agency, Washington, DC 20505.
SYSTEM MANAGER(S):
Chief Strategy Officer (CSO), Central Intelligence Agency, Washington, DC 20505, and the heads of component-level offices charged with business analytic functional responsibilities.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
The National Security Act of 1947, as amended, 50 U.S.C. 3036 et seq.; the Central Intelligence Agency Act of 1949, as amended, 50 U.S.C. 3501 et seq.;Executive Order 12333, as amended, 73 FR 45325.
PURPOSE(S) OF THE SYSTEM:
Records in this system are used by authorized personnel to ensure process integrity; enable the CIA and the Director of the CIA to carry out their lawful and authorized responsibilities; and collect, create, centralize and disseminate CIA business data to: evaluate the utilization of, and identify opportunities for efficiencies in, CIA services, tools, reports, properties, and facilities; evaluate adjustments to CIA resource allocations, processes, and business lines; develop applications and information systems to assist CIA personnel in conducting official CIA business; and perform other analyses of CIA business processes and systems as identified by authorized CIA officials.
Records in this system are also used by authorized personnel to collect, create, centralize and disseminate CIA business data to monitor, report on, and make recommendations relating to: CIA's utilization of contracts and contractors to promote the efficient use of CIA resources; CIA vacancies, hiring, compensation, awards, promotions, training, employee development, employee benefits, internal transfers, resignations, and retirements; spending by CIA components and programs; work hours and activities of CIA personnel to determine alignment of CIA activity with CIA priorities; workforce health, wellbeing status, and perceptions to allow for a more comprehensive understanding of the workforce and allow for the ability for CIA stakeholders to take action to improve the workplace, environment, and organizational processes; location and workplace presence of CIA-affiliated persons, to support commuting, alternative work, and facility location studies; official travel performed by CIA-affiliated persons; and former staff employees who retain an alumni relationship with the CIA.
CIA employees and contractors may use established business analytic methods to query, analyze, and summarize CIA business data. These methods include using programming language(s) ( e.g., structured query language (SQL)), data visualization, statistical analysis, natural language processing, network analysis, and artificial intelligence/machine learning techniques. ( print page 92892)
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Current and former CIA employees, employees of other IC agencies detailed to the CIA, applicants or prospective applicants for employment with the CIA, individuals under contract with the CIA, individuals visiting CIA-managed facilities, individuals physically present in, or using, CIA-controlled facilities, United States Government personnel reading or consuming CIA-produced products, and individuals using CIA-managed information technology systems.
CATEGORIES OF RECORDS IN THE SYSTEM:
This system contains CIA “business data,” which is data captured by, created by, or derived from the use and operations of CIA facilities, IT systems, and applications, that is used by authorized CIA officers for the purposes outlined in the “PURPOSE(S) OF THE SYSTEM” paragraph, above. CIA business data includes, but is not limited to:
A. Human resource, biographic, and personnel security information on the individuals listed in the “CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM” paragraph, above, such as: names of individuals; organizational affiliation; physical work location of personnel; internal contact information; personal home address and contact information; voluntarily-provided biographical information; demographic data; employment data; applicant and prospective applicant information, such as CIA position vacancies, applications, and internal and external hiring data; employee performance and promotion, retention, and resignation attributes; personnel security dispositions and clearances; personnel official travel records; voluntarily-provided information on workforce health, wellbeing status, and perceptions, utilization of employee health and wellness services, and responses to workforce surveys.
B. Financial and appropriations information, such as: CIA budget allocations and fiscal transactions; contracts and contractor personnel data; and procurement, inventory, movement, and disposition of goods and services; and
C. CIA-managed products, facilities, IT system, and application information, such as: internal communications metadata; activity records on CIA-managed information technology systems; metadata relating to CIA-produced or -consumed analyses, reporting, and content; and capacity, configuration, maintenance, and utilization data of CIA-managed and CIA-affiliated facilities.
RECORD SOURCE CATEGORIES:
Information may be provided by individuals covered by this system; derived from other CIA IT systems and Privacy Act systems of records; and other U.S. Government departments and agencies.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
In addition to the disclosures generally permitted under 5 U.S.C. 552a(b), this information is set forth in the “Statement of General Routine Uses for the Central Intelligence Agency,” set out at 87 FR 73198, November 28, 2022, which is incorporated herein by reference.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Paper and other hard-copy records are stored in secured areas within the CIA or in CIA-controlled facilities. Electronic records are stored in secure file-servers located within CIA-controlled facilities or in CIA-contracted facilities subject to CIA supervision.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records in this system may be retrieved by name, chart number, social security number, CIA employee number, or other unique personal identifier by automated or hand search based on extant indices and automated capabilities utilized in the normal course of business. Under applicable law and regulations, all searches of this system of records will be performed in CIA offices by CIA personnel.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
All records are maintained and disposed of in accordance with applicable Records Control Schedules issued or approved by the National Archives and Records Administration.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Records are maintained in secure, restricted areas and are accessed only by personnel who have a need for the records in the performance of their official duties and have been authorized for such access. Electronic authorization and authentication access controls are required to prevent against unauthorized access, use, and disclosure.
RECORD ACCESS PROCEDURES:
Requests from individuals should be addressed as indicated in the notification procedures section below. Regulations for access to individual records or for appealing an initial determination by CIA concerning the access to records are published in the Federal Register (32 CFR 1901.11-.45).
CONTESTING RECORD PROCEDURES:
Requests from individuals to correct or amend records should be addressed as indicated in the notification procedures section below. CIA's regulations regarding requests for amendments to, or disputing the contents of, individual records or for appealing an initial determination by CIA concerning these matters are published in the Federal Register (32 CFR 1901.21-32, 32 CFR 1901.42).
NOTIFICATION PROCEDURES:
Individuals seeking to learn if this system of records contains information about them should direct their inquiries to: Information and Privacy Coordinator, Central Intelligence Agency, Washington, DC 20505. Identification requirements are specified in the CIA rules published in the Federal Register (32 CFR 1901.12-.14). Individuals must comply with these rules in order for their request to be processed.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
Certain records contained within this system of records may be exempted from certain provisions of the Privacy Act, 5 U.S.C. 552a, pursuant to 5 U.S.C. 552a(d)(5), (j)(1), and (k).
HISTORY:
None.