1 / 66

Privacy Impact Assessment Training for Information Technology Systems Third-Party Websites and Applications

. Agenda. IntroductionLegislative Drivers BackgroundProcessPIAs for Information Technology (IT) SystemsPIAs for Third-Party Websites and Applications (TPWAs) Other ConsiderationsAppendix: Security and Privacy Online Reporting Tool (SPORT)Resources. 2. Introduction Overview. Audience: Inf

cargan
Download Presentation

Privacy Impact Assessment Training for Information Technology Systems Third-Party Websites and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Privacy Impact Assessment Training for Information Technology Systems & Third-Party Websites and Applications July 2011

    2. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 2

    3. Introduction Overview Audience: Information Technology (IT) System and TPWA Owners/Managers, Institutes and Centers (IC) Privacy Coordinators, Information Systems Security Officers (ISSOs), the NIH Web Community, Paperwork Reduction Act (PRA) Liaisons, Records Liaisons, and other NIH staff involved in the PIA process or who have an interest in learning more about it. Purpose: Provide an overview of federal and NIH requirements. Review the tools and resources available to support compliance. Duration: 1 hour 3

    4. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 4

    5. Legislation Office of Management and Budget (OMB) Circular A-11, Preparation, Submission and Execution of the Budget, as revised OMB Memorandum (M) 11-02, Sharing Data While Protecting Privacy OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies OMB M-10-06, Open Government Directive OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments OMB M-06-16, Protection of Sensitive Agency Information OMB M-06-15, Safeguarding Personally Identifiable Information OMB M-05-08, Designation of Senior Agency Officials for Privacy OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 5

    6. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 6

    7. Background What is a PIA? A Privacy Impact Assessment is an analysis of how information is handled: To ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; To determine the risks and effects of collecting, maintaining and disseminating personally identifiable information (PII) in an electronic Information Technology (IT) System used by multiple users (e.g., network, server, database) or through the use of a Third-Party Website or Application (TPWA); To examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. 7

    8. Background What do PIAs evaluate? Data in an IT System or TPWA Attributes of the data Access to the data Information collection and use practices Privacy notice practices Information sharing and maintenance practices If the system contains federal records Whether the use creates or modifies a Privacy Act System of Records Whether the use creates an information collection under the PRA Website hosting and uses of TPWAs to collect or maintain data Administrative, technical and physical access controls 8

    9. Background Which IT Systems or TPWAs Need a PIA? IT systems owned, operated, maintained, or controlled by the Federal government or a contracted company working on behalf of the agency; Web-based technologies that are not exclusively operated or controlled by a government entity, or that involve significant participation of a non-government entity; Those that have not been assessed previously; Those in development (as part of the certification and accreditation [C&A] process); and, Those assessed previously which have undergone a “major change”. 9

    10. Background What is a Major Change? A “major change” is a modification to an IT System or TPWA that affects the following: Access control Type of data collected IT System or TPWA interconnection Information sharing Business processes 10

    11. Background Examples of Major Changes Conversions: When converting paper-based records to electronic IT Systems or TPWAs. Anonymous to Non-Anonymous: When functions applied to an existing information collection change anonymous information into PII. Significant IT System or TPWA Management Changes: When new uses, including application of new technologies, significantly change how PII is managed in the IT System or TPWA. Significant Merging: When agencies adopt or alter business processes so that government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated. New Public Access: When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic IT System or TPWA. 11

    12. Background What Qualifies as a TPWA? Is the Website or application part of authorized law enforcement, national security, or intelligence activities? If the answer is “Yes”, it is not a TPWA. If the answer is “No”, continue to Question 2. Is the Website or application for internal activities that do not involve the public? If the answer is “Yes”, it is not a TPWA. If the answer is “No”, continue to Question 3. Does HHS own, operate, or control the Website or application? If the answer is “Yes”, it is not a TPWA. If the answer is “No”, continue to Question 4. Does another Federal department or agency own, operate, or control the Website or application? If the answer is “Yes”, it is not a TPWA. If the answer is “No”, continue to Question 5. Is the Website or application owned, controlled, or operated by nongovernment entity or a contractor acting on behalf of HHS ? If the answer is “Yes”, continue to Question 6. If the answer is “No”, it is not a TPWA. Is the Website or application used by the IC to engage with the public for the purposes of implementing the principles of the Open Government Directive? If the answer is “Yes”, the Website or application is a TPWA. If the answer is “No”, it is not a TPWA. 12

    13. Background Open Government Directive On January 21, 2009, the President instructed the Director of OMB to issue an Open Government Directive requiring specific actions to implement the principles of transparency, participation, and collaboration: Transparency - providing the public with information about what NIH is doing by making it available online in an open medium or format that can be retrieved, downloaded, indexed, and searched by commonly used applications. Participation - contribution by the public of ideas and expertise so NIH can make policies with the benefit of information that is widely dispersed in society. Collaboration - encouragement of partnerships and cooperation with other federal and non-federal governmental agencies, the public, and non-profit and private entities to fulfill the agency’s core mission activities. 13

    14. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 14

    15. Process Who Should Prepare/Review/Approve PIAs? PIAs are completed by an IT System or TPWA Owner/Manager in consultation with the IC Privacy Coordinator, ISSO, Web Master, Paperwork Reduction Act (PRA) Liaison, Records Liaison and other key stakeholders, as applicable, via SPORT. They are distributed through the respective IC and NIH organizational channels for concurrence (i.e., Supervisory Chain/Executive Officers). The NIH Senior Official for Privacy (SOP) will review, approve, and date each PIA and promote it to the Department. On a quarterly basis, HHS will post a summary of the IT System or TPWA PIA on a public website at URL: http://www.hhs.gov/pia/nih/index.html The HHS OCIO will communicate to the NIH SOP the status of PIAs not approved for posting 15

    16. Process Conduct the PIA Identify IT Systems and TPWAs that require a PIA: At the IC program level where the data is being collected; Before the development phase has begun; or, When it is discovered that an IT System or TPWA does not have a PIA. In addition, all PIAs must be: Initiated and approved before the system is launched, and Reviewed annually to ensure accuracy and relevancy. To establish a new IT System or TPWA, notify NIHSPORT@mail.nih.gov If the IT System does not contain PII, complete only the PIA Summary. If the IT System contains PII, complete the full PIA Form. Regardless of whether or not the TPWA contains PII, complete the adapted PIA. 16

    17. Process Writing the PIA Suggested guidelines to follow when preparing a PIA: Consult the NIH PIA Policy and Guide to ensure that standard operating procedures are followed during the development and submission of a PIA; Write clearly and concisely so that members of the public can understand the purpose and use of the information we collect/use/store in our IT systems and TPWAs; Spell out acronyms and define technical references and scientific terms; Provide enough detailed information to answer each question thoroughly (e.g., list the specific data elements collected by an IT system or TPWA); Leverage existing documentation (e.g., SORN, C&A, OMB Request for Clearance, Records Retention Schedule). However, do not substitute a SORN for a PIA, even though much of the information in a PIA may be included in the SORN as well. 17

    18. Process Writing the PIA Remember that a PIA is a public document. Do not include sensitive information that could allow a potential threat source to gain unauthorized access to the IT System or TPWA (e.g., do not provide detailed information about security access controls described in question 54 of the IT System PIA). Sensitive information has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the conduct of HHS programs, or the privacy of individuals entitled under the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA). IT security personnel and System Owners can equate this definition with data that has a FIPS 199 security impact level of Moderate or High. This definition is media neutral and applies to information as it appears in either electronic or hardcopy format. 18

    19. Process Ensure the PIA Is Complete Does the PIA properly identify the IT System or TPWA? Does it adequately describe whether PII is in the system? Does it identify the type of PII in the system (e.g., protected health information, sensitive information, information subject to the Privacy Act)? Does it describe with whom the PII is shared and how is it secured? Is the system description and PII handling procedure reasonably clear and consistent? Is the PIA accurate and appropriate for posting (e.g., does the approval date reflect the current fiscal year and is the content still applicable to the system)? Has the PIA been promoted electronically in SPORT to the SOP? Have you notified the SOP by phone/e-mail that the PIA is ready for review? 19

    20. Process Step 1: Access SPORT The SPORT tool is the official collection point of NIH PIAs. It is a living resource. Through the SPORT tool, you can: Edit, save and submit a current PIA View and print current and historical (archived) PIAs Contact NIH ProSight FISMA Accounts at NIHSPORT@mail.nih.gov to: Gain access to the SPORT Tool Re-set your password Add/Modify/Delete a PIA 20

    21. Process Step 2: Complete the PIA The PIA consists of two parts: PIA Summary Identifies information collection practices, procedures, and possible privacy/security weaknesses/vulnerabilities that pose an unacceptable risk of compromising the confidentiality, integrity, or availability of information. PIA Form Ensures that information handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; Determines the risks and effects of collecting, maintaining, and disseminating PII in an information IT System or TPWA; and, Examines and evaluates protections and alternative processes for handling information to mitigate potential privacy/security risks. If it is determined that an IT System contains PII, the full PIA Form must be completed and regardless of whether or not a TPWA collects PII, the adapted PIA Form must be completed. 21

    22. Process Step 3: PIA Summary & Approval The IC PIA Author completes the PIA, ensures it is signed by the System Owner/Manager, obtains the concurrence of the PIA Approver (typically the IC Privacy Coordinator) and promotes the PIA to the NIH SOP for review. The NIH SOP reviews the PIA for accuracy and completeness, approves and promotes it to the HHS OCIO. The HHS OCIO reviews the PIA for completeness and publishes it on its public website http://www.hhs.gov/pia 22

    23. Each IT System or TPWA PIA created in SPORT by the IC PIA Author will be reviewed by the NIH SOP, followed by one of two actions: Demotion to the IC PIA Author if the NIH SOP determines that any information is out-of-date, incorrect or incomplete; or, Promotion to the Department Senior Agency Official for Privacy (SAOP) for review and posting to the HHS PIA Website at http://www.hhs.gov/pia/ 23 Process Step 4: Approval/Demotion

    24. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 24

    25. Process: PIAs for IT Systems Complete the IT System PIA If the IT System does not contain PII, complete the PIA Summary only. If the IT System contains PII, complete the full PIA Form. The PIA Form for IT systems includes the PIA Summary (or Privacy Threshold Analysis), Approval Page, and the following 7 tabs: General Information System Characterization and Data Configuration Information Sharing Practices Website Hosting Practices Administrative Controls Technical Controls Physical Access Controls 25

    26. Process: PIAs for IT Systems Required Information Tab This tab covers the basics of each IT System including: Summary of Required Questions System Location Point of Contact Information – only name will be made public Overview of the System 26

    27. Process: PIAs for IT Systems System Characterization/Data Configuration Tab This tab identifies, among other things: Who owns and operates the IT System Whether the IT System is new or existing The life-cycle of the IT System (e.g., initiation, development/acquisition, implementation, operations/maintenance) Changes that may have occurred to the IT System Whether the IT System collects, maintains, stores, disseminates and/or passes through PII within any database, record, file, or website hosted by the IT System 27

    28. Process: PIAs for IT Systems Information Sharing Practices Tab This tab identifies Federal agency and third-party information sharing practices. It focuses on how the IT System uses PII. Specifically, Who sees the information (who can access it) Where it comes from (entered manually or pulled from a 2nd system), and Where it goes (uploaded to a website, shared with others) 28

    29. Process: PIAs for IT Systems Web Hosting Practices Tab This tab: Identifies privacy practices for IT Systems that host Websites Seeks to understand whether the IT System’s Website complies with Federal guidance on Website operation 29

    30. Process: PIAs for IT Systems Administrative Controls Tab This tab ensures proper management and control of information and IT Systems and indicates whether the following exist: Date of Certification & Accreditation Security Plan Contingency or Backup Plan Policies/Manuals/Guides/Procedures Contractor Clauses (to protect and safeguard information) Access (to ensure least privilege “business need-to-know”) Record Retention Policies 30

    31. Process: PIAs for IT Systems Technical Controls Tab This tab includes questions about technical controls that are generally configured and executed automatically by the IT System: User IDs Passwords Firewalls VPN Encryption Smart cards Biometrics PKI Certificates 31

    32. Process: PIAs for IT Systems Physical Access Controls Tab This tab asks questions regarding what measures are taken to secure the data and protect the system, buildings, and related supporting infrastructure against threats associated with the physical environment: Guards ID badges Key Cards Cipher Locks Biometrics CCTV 32

    33. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 33

    34. Process: PIAs for TPWAs Complete the Adapted PIA Form Regardless of whether or not the TPWA collects, uses or stores PII, you must complete the adapted PIA Form. The TPWA PIA includes the following sections: General Information Requirements Notice Practices Information Collection & Use Practices Information Sharing & Maintenance Practices 34

    35. Process: PIAs for TPWAs General Information Tab This tab requires the following information: Name: The name should follow the format “IC and Acronym/Name of TPWA/Name the IC will use for the TPWA”. This construction in SPORT should match what is entered in the NIH Certification and Accreditation Tool (NCAT) where the system is first created. Example: National Cancer Institute (NCI)/Facebook/Cancer.gov. New or Existing PIA: If this is the first time a PIA is being conducted on the use of the TPWA, answer “YES.” If the PIA exists and is being updated, answer “NO.” If the TPWA is a revision of an existing one, a reason must be provided as to why the PIA is being updated. Date of PIA Promotion for NIH SOP Review: The date must reflect the current fiscal year. Name of the IC: Use the drop down menu to select the IC. 35

    36. Process: PIAs for TPWAs General Information Tab Unique Project Identifier (UPI): The UPI number is associated with Exhibit 300s and 53s which are submitted to OMB prior to the purchase of major IT investments over a certain dollar threshold and during budget cycles. The format of the UPI is established in OMB Circular A-11, Section 53.8. The use of a TPWA would not require a UPI number if, for example, no Exhibit 300 exists or the use of the TPWA is not classified as a “Major Investment.” The UPI: Ensures proper tracking and submission of information to OMB. Must reflect the current fiscal year. 36

    37. Process: PIAs for TPWAs General Information Tab In some cases, the use of a TPWA will create a new or modify an existing System of Records (SOR) under the Privacy Act (PA) of 1974, as amended. The IC Privacy Coordinator can assist in determining if a System of Records Notice (SORN) is required (e.g., the TPWA is designed to retrieve information about an individual by an identifier linked or linkable to them). SORN Number: If the requirements of the PA are applicable, indicate the SORN number. A SOR is a any item, collection, or grouping of information in electronic or hardcopy form about individuals, that is maintained by an agency and contains a name, number, symbol, or other unique identifier assigned to the individual. Single records or groups of records which are not retrieved by a personal identifier are not part of a SOR. If records are used to determine rights, benefits, privileges of individuals, they become agency records subject to the Privacy Act. A SORN is a publication in the Federal Register of the system of records that covers the affected individuals. It can be internal (NIH # 09-25-xxxx or HHS # 09-90-xxxx), central (OPM) or government-wide (EEOC, OGC, GSA, FEMA, DOL). A SORN must be in place before PII is collected by the agency. 37

    38. Process: PIAs for TPWAs General Information Tab In some cases, the use of a TPWA may create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA). The IC PRA Liaison can assist in determining if the TPWA is considered to be a collection under the PRA (e.g., a survey designed to collect information from 10 or more members of the public). OMB Approval Number and Expiration Date: If the requirements of the PRA are applicable, indicate the OMB approval number assigned pursuant to the PRA filing and the expiration date. This number is sometimes referred to as an OMB control number. If OMB approval has not been obtained, the answer should describe the plans to obtain clearance under the PRA. 38

    39. Process: PIAs for TPWAs General Information Tab Use of Federal Records: Determines if records stored by the TPWA are considered to be official Government records under the Federal Records Act (FRA). The IC Records Liaison should be able to assist in determining if the FRA applies to the records, and if so, what the applicable NIH records retention schedule is that covers the records. Point of Contact: Identifies the person to whom questions about the responses to the TPWA PIA may be addressed. Purpose: Explains in detail the reason the TPWA is being used and its importance to the NIH/IC mission (e.g., to maximize opportunities to engage and communicate with the public). 39

    40. Process: PIAs for TPWAs Requirements Tab This tab requires: Third-Party’s Privacy Policy: Prior to utilizing a TPWA, the IC must evaluate the privacy policies of the third-party to determine if there are any risks to a user that would preclude the IC from utilizing the tool to engage the public. Examples of a potential risk could include a third-party’s release of personal information for commercial purposes (e.g., Facebook recently enabled facial recognition without notifying its users to change their privacy settings. They can change their policy at any time during the day, and based on the terms of service agreement negotiated with GSA, may not be required to notify the Federal Government of the change). Alternative Means By Which The Public Can Obtain Comparable Information: Members of the public should not be required to use a TPWA to obtain information or services. The public must be provided with an alternative means to get the same information or services being offered by the TPWA. 40

    41. Process: PIAs for TPWAs Requirements Tab This tab requires: Appropriate NIH or IC Branding: Use of TPWAs and the content therein must clearly identify ownership or sponsorship through the use of NIH or IC branding. Branding is not required to be an official agency seal or logo; however, the image must clearly distinguish NIH’s presence and activity from those of non-government actors. For example, the IC should add a seal or emblem to its profile page. HHS, NIH, and IC logo policies apply to uses of TPWA. Navigating to the TPWA from the NIH or IC Hyperlink, Website or Embedded Link: An alert (e.g., statement, icon, label adjacent to the hyperlink or “pop-up”) must explain to the Internet user that they are being re-directed to a non-governmental Website or application that may have different privacy policies from those of the IC’s official Website. NIH Notification Prior to Using a TPWA: NIH must identify if the TPWA contains an alert notifying the user that the information and/or processes of the TPWA are not controlled by the NIH. 41

    42. Process: PIAs for TPWAs Notice Practices Tab This tab requires the following information: Privacy Policy: A single, centrally located statement of the Website’s privacy standards and processes, which is accessible from an IC’s official homepage. The Privacy Policy should be a consolidated explanation of the IC’s general privacy-related practices that pertain to its official Website and its other online activities. It serves to notify individuals before they engage with NIH and must be updated to include required information about the use of a TPWA. Privacy Notice: A brief description of how the Privacy Policy will apply in a specific situation. The Privacy Notice must be written in plain language, clearly labeled and conspicuously placed on all locations where the public might make PII available to NIH. Due to technical limitations, the use of some TPWAs may make it difficult to post a Privacy Notice. However, the IC should ensure that a Privacy Notice is posted when feasible. For more information about required content, refer to the HHS Guidance entitled Implementation of OMB M-10-22 and OMB M-10-23, dated December 21, 2010. 42

    43. Process: PIAs for TPWAs Notice Practices Tab This tab also requires confirmation that the Privacy Notice is prominently placed at all locations on the TPWA where the public might make PII available. The term “make PII available” includes any agency action that causes PII to become available or accessible to the agency, whether or not the agency solicits or collects it. In general, an individual can make PII available to an agency when s/he provides, submits, communicates, links, posts, or associates PII while using the Website or application. “Associate” can include activities commonly referred to as “friending,” “following,” “liking,” “joining a group,” “becoming a fan,” and comparable functions. 43

    44. Process: PIAs for TPWAs Information Collection & Use Practices Tab This tab requires the following information: PII Collected by the IC from the TPWA: “Collecting PII” is defined by the Department as any act, whether by humans or a technology, to collect or obtain any PII that is requested or made available through the TPWA with or without the consent of the user for any period of time (e.g., IC copies and pastes comments that include PII, into a file for other uses). Clearly outline the type of PII that is collected or that will likely be made available to the IC through the public’s use of the TPWA and identify how the IC will use that information. Note: The minimal amount of information necessary to perform a task should be collected. Refrain from using free form text fields! 44

    45. Process: PIAs for TPWAs Information Sharing & Maintenance Practices Tab This tab requires the following information: Type of PII Collected/Made Available to NIH through the Use of a TPWA (e.g., name, e-mail address, etc.) To Whom the PII will be Shared (e.g., shared internally within NIH/HHS or shared with parties outside of NIH/HHS) Business Purpose for Sharing the PII (e.g., shared with those with a valid and legitimate reason to view/access the information) Description of How the Risks of Sharing PII are Mitigated (e.g., applicable administrative, technical, or physical access controls that help minimize the risks associated with sharing the information). 45

    46. Process: PIAs for TPWAs Information Sharing & Maintenance Practices This tab requires: Maintenance of PII Collected from the TPWA: The term “maintain” implies that the PII in any format is actively maintained for a specific period of time (e.g., comments posted to the TPWA are exported to a Word file and/or screen shots are saved in a file and exported via e-mail) How PII will be Secured: A description of the applicable administrative, technical, or physical access controls used to secure the PII stored within the TPWA. 46

    47. Process: PIAs for TPWAs Information Sharing & Maintenance Practices This tab requires that the PIA Author identify any other privacy risks that exist and how the IC will mitigate them. For example, a TPWA that allows individuals to provide comments introduces the privacy risk that members of the public could provide their own PII. A means for managing this risk could be the development of policies and procedures to monitor and moderate comments. Other examples of common privacy risks include changes in technology or modifications to the TPWA privacy policies. 47

    48. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 48

    49. Other Considerations Risk Mitigation PIAs provide a snapshot of privacy efforts and weaknesses at the program and IT System or TPWA level. Failure to comply with privacy controls present a risk to the organization and could result in unwanted public scrutiny, legal implications or a potential financial penalty. IT System and TPWA Owners/Managers should: Review PIAs to identify privacy weaknesses in the IT System’s or TPWA’s management, operational, or technical functions; Include weaknesses in the IT System’s Plan of Action & Milestones (POA&M); Review PIAs during every stage of the System Development Life Cycle (SDLC) to ensure that privacy/security controls exist to safeguard the use of PII Implement risk mitigation strategies; 49

    50. Other Considerations Monitor Negative Implications Ensure the IT System or TPWA continually meets privacy/security legislation law and requirements; Monitor changes in the collection of the data, use of it, and the way in which it is shared or aggregated within the IT System or TPWA that may impact privacy/security; Update the PIA if the IT System or TPWA has undergone a major change; and, Monitor the effectiveness of privacy controls by conducting regular self-assessments, privacy/security reviews, and audits. 50

    51. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 51

    52. Overview of SPORT Requests for New Account User accounts must be requested by the IC Privacy Coordinator, ISSO or senior level administrator, such as an Administrative Officer or Executive Officer. Requests should include the type of role and editing capabilities the user needs. Users must have an Active Directory (AD) account. User IDs are matched to a person’s AD account. Passwords are NOT the same as AD password. They need to be 8 characters and include upper and lower case, number and character (please ~ no tildes). Passwords need to be changed every 90 days. Contact NIHSPORT@mail.nih.gov of intent to complete a PIA, to request access to SPORT and to have passwords enabled or re-set. 52

    53. Overview of SPORT PIA Roles The IC determines what roles a user should have in SPORT. There are three types of PIA roles: PIA Owner (User, generally the PIA Author, has edit rights) PIA Promoter (User can review/demote/promote to the NIH SOP, no edit rights) PIA Reviewer (User has review rights only) 53

    54. 54 Overview of SPORT Accessing the Application

    55. 55 Overview of SPORT Changing Your Password

    56. 56 Overview of SPORT Selecting the PIA Form Ensure that the Forms tab is selected Then go to the ITEM drop down menu and click on the arrow and a window will open

    57. 57 Overview of SPORT Selecting the TPWA Click on the + next to your IC to open the portfolio and then click on the + next to your “NIH IC TPWA PIA” portfolio Select the TPWA that you want to work on: The window will refresh and your TPWA will be listed in the ITEM box

    58. 58 Overview of SPORT Selecting the TPWA Form Select the drop down arrow for FORM Click on the + next to the PIA portfolio Select 06.4 Third Party Web PIA The TPWA form is now available so that you can fill in the data.

    59. Overview of SPORT Requesting a new Third Party Website listing Follow the instructions below to request a listing in SPORT for a new Third Party Website : Notify NIH SPORT Team when a new listing needs to be added to SPORT. Provide IC name, name of TPWA, and description of the TPWA (e.g., NIH National Cancer Institute (NCI)/Facebook/Cancer.gov). (Ensure that all appropriate people in your IC [Privacy Officer, ISSO, etc.] are aware of and approve the request.) NIH SPORT Team will add the listing and send an email indicating that it has been done. Go to the following URL to logon to SPORT: https://sport.hhs.gov/Prosight Enter your logon credentials. (If you have forgotten your credentials, please contact the NIH SPORT Team at NIHSPORT@mail.nih.gov) Follow the previous directions on slides 58-60 to locate the new listing. 59

    60. 60 Overview of SPORT The Adapted TPWA PIA Form Remember to periodically hit the “Submit” button to save the information in the TPWA PIA Form.

    61. Agenda Introduction Legislative Drivers Background Process PIAs for Information Technology (IT) Systems PIAs for Third-Party Websites and Applications (TPWAs) Other Considerations Appendix: Security and Privacy Online Reporting Tool (SPORT) Resources 61

    62. Federal Law & Guidance References Privacy Act of 1974, as amended (5 U.S.C. 552a (December 31, 1974): http://www.justice.gov/opcl/privstat.htm Paperwork Reduction Act (PRA) of 1995, (44 U.S.C. 3501) (May 22, 1995): http://www.reginfo.gov/public/reginfo/pra.pdf Clinger-Cohen Act of 1996 (40 U.S.C. Section 1401) (February 10, 1996) (also known as the Information Technology Management Reform Act): http://uscode.house.gov/download/title_40.shtml Computer Matching and Privacy Protection Act of 1988 (5 U.S.C. 552a(o)) (October 18, 1988): http://www.whitehouse.gov/omb/inforeg/final_guidance_pl100-503.pdf E-Government Act of 2002 (E-GOV) Section 208 (Title II), (44 U.S.C. Chapter 36) (December 17, 2002): http://www.whitehouse.gov/omb/memoranda_m03-22 Federal Information Security Management Act (FISMA) (Title III) of 2002, (44 U.S.C. Chapter 35) (December 17, 2002): http://csrc.nist.gov/drivers/documents/FISMA-final.pdf Resources 62

    63. OMB Circulars and Memoranda (M): Circular A-11, Preparation, Submission and Execution of the Budget, as revised (November 12, 2010): http://www.whitehouse.gov/sites/default/files/omb/assets/a11_current_year/a_11_2010.pdf M-11-02, Sharing Data While Protecting Privacy (November 3, 2010): http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-02.pdf M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010): http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010): http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-22.pdf M-10-06, Open Government Directive (December 8, 2009): http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-06.pdf Resources 63

    64. OMB Circulars and Memoranda (M): M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007): http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-16.pdf M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006): http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2006/m06-19.pdf M-06-16, Protection of Sensitive Agency Information (June 23, 2006): http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2006/m06-16.pdf M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006): http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2006/m-06-15.pdf M-05-08, Designation of Senior Agency Officials for Privacy (February 11, 2005): http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-08.pdf M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 30, 2003): http://www.whitehouse.gov/omb/memoranda_m03-22/ Resources 64

    65. Departmental Regulations and Policy: HHS Cybersecurity Program Information Security and Privacy Program Policy: http://www.hhs.gov/ocio/policy/policy-hhs-ocio-2010-0006-html.html HHS Privacy Act Regulations, 45 CFR, part 5b: http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=d8c05a9cf0b3dd219f61ecf068cb7260&rgn=div5&view=text&node=45:1.0.1.1.7&idno=45 NIH Policy & Guidance: NIH Manual Chapter 2809, NIH Social and New Media (Release TBD) NIH Manual Chapter 2805, NIH Web Privacy Policy (Release TBD) NIH Manual Chapter 2804, NIH Public-Facing Web Management (Release TBD) NIH Manual Chapter 1825, Information Collection from the Public NIH Policy 1745-1, NIH Privacy Impact Assessments NIH PIA Guide Resources 65

    66. Resources

More Related