Privacy Impact Assessment

PRIVACY IMPACT ASSESSMENT (PIA)
PRESCRIBING AUTHORITY: DoD Instruction 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance". Complete this form for Department of Defense
(DoD) information systems or electronic collections of information (referred to as an "electronic collection" for the purpose of this form) that collect, maintain, use,
and/or disseminate personally identifiable information (PII) about members of the public, Federal employees, contractors, or foreign nationals employed at U.S.
military facilities internationally. In the case where no PII is collected, the PIA will serve as a conclusive determination that privacy requirements do not apply to
system.
1. DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME:

NAF Financial Management System Software as a Service (NAF FMS SaaS)
3. PIA APPROVAL DATE:

2. DOD COMPONENT NAME:

04/07/25

Department of the Navy/United States Marine Corps
Headquarters Marine Corps Manpower and Reserve Affairs (M&RA), Business and Support Services (MR)
SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
a. The PII is: (Check one. Note: Federal contractors, military family members, and foreign nationals are included in general public.)
From members of the general public

From Federal employees

from both members of the general public and Federal employees

Not Collected (if checked proceed to Section 4)

b. The PII is in a: (Check one.)
New DoD Information System

New Electronic Collection

Existing DoD Information System

Existing Electronic Collection

Significantly Modified DoD Information System
c. Describe the purpose of this DoD information system or electronic collection and describe the types of personal information about individuals
collected in the system.

The Non-appropriated Fund Financial Management System Software as a Service (NAF FMS SaaS) is an integrated accounting
system that provides a means to manage and administer financial records related to general ledger, accounts payable, fixed assets, accounts
receivable, and cash management. Additional functions include inventory management, purchasing and procurement management, and
project costing. Implementation of capabilities has been in a phased rolled-out approach. Since implementation NAF FMS SaaS is in the
enhancements and maintenance phase.
Types of personal information include: individual's full name; personal identifier (Social Security Number (SSN)), DoD ID number,
Employer Identification Number (EIN), MCCS employee ID number, and MCCS assigned vendor/company ID number); vendor/company
eligibility information; contact information (personal and work); military status and branch; rank and title information; payment and debt
collection information; tender information; banking information; disbursing and accounting transaction data; supervisor's information; and
purchase orders and invoices. A complete description and explanation are provided in the SORNs listed below.
d. Why is the PII collected and/or what is the intended use of the PII? (e.g., verification, identification, authentication, data matching, mission-related use,
administrative use)

PII is collected for identification and verification of individuals and their contact information:
-for the creation of vendor/company contracts, purchase orders, invoices, recording their status, and for reporting required tax information;
-for verification of eligibility to conduct business with MCCS;
-for vendor/company payment;
-for data matching among systems;
-for a bad debt list to block patrons from future check tendering at a point-of-sale;
-for the issuance of payments, collection of payments due, and recording their status;
-for the collection of outstanding debts, management of payments and outstanding balances, and recording any debt deduction or write-off;
-for the submission of required Internal Revenue Service (IRS) reporting for applicable contract payments and prizes;
-for employee remittance and reimbursement;
-for final wages payment to the employee's beneficiary, in the event of an employee's death;
-for creating an employee user profile and access to include transactional approval routing; and
-for analysis of financial transactions.
The intended use of the PII collected is for mission-related use and administrative use.
e. Do individuals have the opportunity to object to the collection of their PII?

Yes

No

(1) If "Yes," describe the method by which individuals can object to the collection of PII.
(2) If "No," state the reason why individuals cannot object to the collection of PII.

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

Page 1 of 9

The NAF FMS SaaS is not the original source of collection of all the personal information maintained. Individuals are provided a Privacy
Act Statement when personal information is requested directly from them, such as on NAVMC 11787, “Response to Marine Corps NAF
Debt Collection Notice." In the cases where the NAF FMS SaaS receives PII from other information systems, the individual(s) would have
had the opportunity to object to the collection of their PII at that originating source (e.g., when making purchases by non-cash tender).
f. Do individuals have the opportunity to consent to the specific uses of their PII?

Yes

No

(1) If "Yes," describe the method by which individuals can give or withhold their consent.
(2) If "No," state the reason why individuals cannot give or withhold their consent.

Providing information is considered consent. All information collected on the individual may be used for mission-related and administrative
use in accordance with the purpose of the system without further consent of the individual.
g. When an individual is asked to provide PII, a Privacy Act Statement (PAS) and/or a Privacy Advisory must be provided. (Check as appropriate and
provide the actual wording.)
Privacy Act Statement

Privacy Advisory

Not Applicable

Information from the approved NAVMC 11787, “Response to Marine Corps NAF Debt Collection Notice,” will be maintained in NAF
FMS SaaS. Data will be input by MCCS personnel, not the individuals. The Privacy Act Statement provided on NAVMC 11787 is as
follows:
PRIVACY ACT STATEMENT
AUTHORITY: 10 U.S.C. 5013; 10 U.S.C. 5041; MCO P1700.27B W CH1; MCO 7010.19; and SORNs NM01700-1, NM04060-1,
NM07010-1, NM01754-3, and N04066-4.
PRINCIPAL PURPOSE: Information requested is used for the purpose of managing and administering applicable Marine Corps
Nonappropriated Fund Instrumentalities (NAFIs) delinquent debt collections, and for reporting and documentation required in connection
with these actions.
ROUTINE USES: Information may be disclosed to the U.S. Department of Treasury for centralized administrative or salary offset and to
credit card processors, banks, and other financial institutions to process payments. Complete lists and explanations of applicable Routine
Uses are found in the authorizing SORNs, accessible at https://dpcld.defense.gov/Privacy/SORNsIndex/DODComponent-Notices/
NavyUSMC-Article-List/.
DISCLOSURE: Voluntary; however, failure to provide required information may result in automatic submission to the Treasury Offset
Program to withhold or reduce Federal payment(s) due to the respondent to satisfy the debt.
h. With whom will the PII be shared through data/system exchange, both within your DoD Component and outside your Component?
(Check all that apply)

MCCS personnel at Shared Services Center (SSC) office
and installation finance offices; NAF Enterprise Contract
Specify. Management (ECM) system; MCCS bad debt database (via
MOU with Marine Corps Total Force System (MCTFS));
and Secure File Transfer Protocol (SFTP).
Defense Finance and Accounting Service (DFAS) and Army
Specify.
& Air Force Exchange Service (AAFES) via MCTFS

Within the DoD Component

Other DoD Components (i.e. Army, Navy, Air Force)
Other Federal Agencies (i.e. Veteran’s Affairs, Energy, State)

Specify.

State and Local Agencies

Specify.

Contractor (Name of contractor and describe the language in
the contract that safeguards PII. Include whether FAR privacy
clauses, i.e., 52.224-1, Privacy Act Notification, 52.224-2,
Privacy Act, and FAR 39.105 are included in the contract.)

Internal Revenue Service

6e Technology (BPA issued off GSA contract). The GSA
contract includes FAR clauses 52.224-1, 52.224-2, 52.224-3,
and 52.239-1.
Specify.

Oracle USA, Inc. (Delivery Order issued off NEXCOM
contract). MCCS will add the NAF MCCS Privacy Act
Notification clause, similar to the FAR clauses to the
delivery order for MCCS data.
Other (e.g., commercial providers, colleges).

Specify.

Banking institutions to include Bank of America

i. Source of the PII collected is: (Check all that apply and list all information systems if applicable)
Individuals

Databases

Existing DoD Information Systems

Commercial Systems

Other Federal Information Systems

MCCS activities to include MCCS finance and procurement offices. Existing information systems include: NAF Human Resource
DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

Page 2 of 9

Management System (NAF HRMS), NAF ECM; NAF Retail Point of Sale (RPOS), NAF MCCS Financial Operation (NAF MCCS
FinOps), NAF Cognos Business Intelligence Solutions (BI), DFAS, and AAFES via SFTP. Commercial providers to include Bank of
America Merchant Services. Databases to include records of outstanding indebtedness to MCCS submitted from Marine Corps installations
and the MCCS bad debt database (with MCTFS).
j. How will the information be collected? (Check all that apply and list all Official Form Numbers if applicable)
E-mail

Official Form (Enter Form Number(s) in the box below)

In-Person Contact

Paper

Fax

Telephone Interview

Information Sharing - System to System

Website/E-Form

Other (If Other, enter the information in the box below)

System-to-system transfer is via a secure file gateway connection. Website includes Oracle self-service portal for vendors/companies.
DD form 139, "Pay Adjustment Authorization;" W-9, "Request for Taxpayer Identification Number and Certification;" and NAVMC
11787, “Response to the Marine Corps NAF Debt Collection Notice."
k. Does this DoD Information system or electronic collection require a Privacy Act System of Records Notice (SORN)?
A Privacy Act SORN is required if the information system or electronic collection contains information about U.S. citizens or lawful permanent U.S. residents that
is retrieved by name or other unique identifier. PIA and Privacy Act SORN information must be consistent.
Yes

No

If "Yes," enter SORN System Identifier

NM01700-1; NM04060-1; NM07010-1;..

SORN Identifier, not the Federal Register (FR) Citation. Consult the DoD Component Privacy Office for additional information or http://dpcld.defense.gov/
Privacy/SORNs/
or
If a SORN has not yet been published in the Federal Register, enter date of submission for approval to Defense Privacy, Civil Liberties, and Transparency
Division (DPCLTD). Consult the DoD Component Privacy Office for this date
If "No," explain why the SORN is not required in accordance with DoD Regulation 5400.11-R: Department of Defense Privacy Program.

l. What is the National Archives and Records Administration (NARA) approved, pending or general records schedule (GRS) disposition authority
for the system or for the records maintained in the system?
(1) NARA Job Number or General Records Schedule Authority.

DAA-GRS-2013-0003-0001; DAA-GRS-2013-0003-0002

(2) If pending, provide the date the SF-115 was submitted to NARA.

(3) Retention Instructions.

GRS 1.1 item 010: Temporary. Destroy 6 years after final payment or cancellation.
GRS 1.1 item 011: Temporary. Destroy when business use ceases.
m. What is the authority to collect information? A Federal law or Executive Order must authorize the collection and maintenance of a system of
records. For PII not collected or maintained in a system of records, the collection or maintenance of the PII must be necessary to discharge the
requirements of a statue or Executive Order.
(1) If this system has a Privacy Act SORN, the authorities in this PIA and the existing Privacy Act SORN should be similar.
(2) If a SORN does not apply, cite the authority for this DoD information system or electronic collection to collect, use, maintain and/or disseminate PII.
(If multiple authorities are cited, provide all that apply).
(a) Cite the specific provisions of the statute and/or EO that authorizes the operation of the system and the collection of PII.
(b) If direct statutory authority or an Executive Order does not exist, indirect statutory authority may be cited if the authority requires the
operation or administration of a program, the execution of which will require the collection and maintenance of a system of records.
(c) If direct or indirect authority does not exist, DoD Components can use their general statutory grants of authority (“internal housekeeping”) as
the primary authority. The requirement, directive, or instruction implementing the statute within the DoD Component must be identified.

SORN NM01700-1, DON General Morale, Welfare, and Recreation Records (February 12, 2008, 73 FR 8035), authorities: 10 U.S.C. 5013,
Secretary of the Navy; 10 U.S.C. 5041, Headquarters, Marine Corps; 26 U.S.C. 6041; SECNAVINST 1700.12B; MCO P1700.27B W/CH1,
Marine Corps Community Services Policy Manual; DOD 7000.14-R Volume 13, Financial Management Regulations (FMR); and E.O. 9397
DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

Page 3 of 9

(SSN), as amended.
SORN NM04060-1, Navy and Marine Corps Exchange Sales Control and Security Files (April 30, 2008, 73 FR 23450), authorities: 10
U.S.C. 5013, Secretary of the Navy; 10 U.S.C. 5041, Headquarters, Marine Corps; and E.O. 9397 (SSN), as amended.
SORN NM07010-1, DON Non-Appropriated Funds Standard Payroll System (June 16, 2014, 79 FR 34305), authorities: 10 U.S.C. 5013,
Secretary of the Navy; CNICINST-7000.3, Accounting Procedures for Non-Appropriated Funds; and E.O. 9397 (SSN), as amended.
SORN NM01754-3, DON Child and Youth Program (May 27, 2010, 75 FR 29728), authorities: 10 U.S.C. 5013, Secretary of the Navy; 10
U.S.C. 5041, Headquarters, Marine Corps; DoD Instruction 6060.02, Child Development Programs; DoD Instruction 6060.3, School Age
Care Program; DoD Instruction 6060.04, Youth Services (YS) Policy; OPNAV Instruction 1700.9E w/Ch1, Child and Youth Program;
Marine Corps Order 1710.30, Marine Corps Child and Youth Programs (CYP); and E.O. 9397 (SSN), as amended.
SORN N04066-4, Navy Lodge Records (April 30, 2008, 73 FR 23448), authorities: 10 U.S.C. 5013, Secretary of the Navy and E.O. 9397
(SSN), as amended.
In addition to those listed: Federal Claims Collection Act of 1966 (Pub. L. 89-508, as amended); Debt Collection Act of 1982 (Pub. L.
97-365) as amended by the Debt Collection Improvement Act of 1996 (Pub.L. 104-134, Section 31001); 31 CFR 285.11, Administrative
Wage Garnishment; DoD 7000.14-R, Department Of Defense Financial Management Regulations; MCO P1700.27B W CH1, Marine Corps
Community Services Policy Manual; and MCO 7010.19, Marine Corps Community Services Financial Management Procedures.
n. Does this DoD information system or electronic collection have an active and approved Office of Management and Budget (OMB) Control
Number?
Contact the Component Information Management Control Officer or DoD Clearance Officer for this information. This number indicates OMB approval to
collect data from 10 or more members of the public in a 12-month period regardless of form or format.
Yes

No

Pending

(1) If "Yes," list all applicable OMB Control Numbers, collection titles, and expiration dates.
(2) If "No," explain why OMB approval is not required in accordance with DoD Manual 8910.01, Volume 2, " DoD Information Collections Manual:
Procedures for DoD Public Information Collections.”
(3) If "Pending," provide the date for the 60 and/or 30 day notice and the Federal Register citation.

OMB No. 0712-0008, Response to the Marine Corps NAF Debt Collection Notice, expiration date 12/31/2025.

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

Page 4 of 9