C: For the categories listed above, how many records are there for each?
We estimate a minimum of 500,000 records for the above categories.
D: System, application, or project includes these data elements:
Gmail Google, Meet Classic Hangouts, Google Chat, Google Calendar, Google Drive and Shared Drive . Google
Docs, Google Sheets, Google Slides, Google Forms, Google Sites Google Keep Apps Script Chrome Browser,
Overview:
GSA uses GWE for email, collaboration and sharing of information. As such, the applications
(Gmail, Google Meet, Google Drive and Docs, Calendar, Chats and Classic Hangouts, Google
Groups, Google Vault, Google Keep, and Cloud Search) are used as a means to collect, maintain,
collaborate and share information between users within GSA.
1.0 Purpose of Collection
1.1: What legal authority and/or agreements allow GSA to collect, maintain, use, or disseminate the information?
44 U.S. Code §3101. Records management by agency heads; general duties 5 U.S. Code §301. Departmental
regulations
1.2: Is the information searchable by a personal identifier, for example a name or Social Security number?
Yes
1.2a: If so, what Privacy Act System of Records Notice(s) (SORN(s) applies to the information being collected?
Existing SORN applicable
1.2: System of Records Notice(s) (Legacy Text): What System of Records Notice(s) apply/applies to the
information?
Yes, the system is searchable by a google account holder’s name. Administrators can deactivate certain accounts;
however, that does not preclude a user from searching a deactivated user’s account for data that already exists in the
system. Sources may vary widely as information is not collected by the system’s applications specifically, but are
used as a mechanism to store, collaborate and share information between users. The potential PII stored and shared
using GWE comes from a varied source of extracts and sources. GSA primarily relies on GWE for storage, sharing or
collaboration of mission-critical information at the FISMA moderate level. For example, Google and GSA have
entered into a Business Associate Agreement (BAA) to allow GSA’s Office of Evaluation Sciences to store HIPAA
Limited Data Sets on Google Drive.
GWE is covered under GSA's Enterprise Organization of Google Applications SORN GSA/CIO-3 GSA Enterprise
Organization of Google Applications and SalesForce.com.
1.2b: Explain why a SORN is not required.
1.3: Has an information collection request (ICR) been submitted to or approved by the Office of Management and
Budget (OMB)?
1.3: Information Collection Request: Provide the relevant names, OMB control numbers, and expiration dates.
GWE is not an information collection for Paperwork Reduction Act purposes. If a Google form requires an ICR, the
form creator must adhere to procedures and policy.
1.4: What is the records retention schedule for the information systems(s)? Explain how long and for what reason the
information is kept.
Records are maintained and verified while an employee has active employment. After a user leaves GSA, the email
record will be available for 7 years and 15 years for high level officials. Records are disposed of as specified in the
handbook, GSA Records Maintenance and Disposition System (CIO P 1820.1). The record retention period is
indefinite this is part of GSA Number/Disposition Authority GRS 03.1/011 and DAAGRS-2013-0005-0008.
2.0 Openness and Transparency
2.1: Will individuals be given notice before the collection, maintenance, use or dissemination and/or sharing of
personal information about them? No