220 likes | 726 Views
Understanding the Privacy Impact Assessment (PIA). Introduction The PIA is a checklist or tool to ensure that new or modified electronic collections of information on individuals: - Are evaluated for privacy risks.
E N D
Understanding the Privacy Impact Assessment (PIA) Introduction The PIA is a checklist or tool to ensure that new or modified electronic collections of information on individuals: - Are evaluated for privacy risks. - Are designed with Privacy Act life cycle management requirements (collection, maintenance, use, safeguards and records scheduling). - Ensure that appropriate privacy protection measures are in place.
Understanding the Privacy Impact Assessment (PIA) When do you Complete a PIA? • At different stages of a project’s life cycle -each phase may have new privacy risks. • When collecting information from websites (eforms, surveys, etc)
Understanding the Privacy Impact Assessment (PIA) When Do You Submit Copies? • DOI IT Security Asset-Valuations • DOI IT Security Certification and Accredidations • OMB Exhibit 300s • Identify on websites collecting information from the public • Identify in Privacy Act system of records notice in the Federal Register • Identify in OMB Information Collection Clearance packages
Understanding the Privacy Impact Assessment (PIA) DOI Requirements • DOI’s PIA requirements extend to all systems that contain information on individuals (includes systems with information on BOTH employees and members of the public) (OMB’s provides option in (OMB - M-03-22)). • DOI requires that all systems perform a “preliminary review” for information on individuals - DON’T CONFUSE THIS WITH DOING A COMPLETE PIA
Understanding the Privacy Impact Assessment (PIA) DOI Requirements • The “preliminary review” is documentation to verify that we’ve looked at all systems to determine if they maintain information on individuals (keep it with the metadata). • Doing this “preliminary review” (completing The PIA template questions up to B.1.a.) will help you to determine if you need to continue on and complete the PIA.
Understanding the Privacy Impact Assessment (PIA) DOI Requirements • If you determine that there is no information on individuals in the system then there is no point in completing the rest of the PIA document.
Understanding the Privacy Impact Assessment (PIA) OMB’s Requirement for Exhibit 300s • OMB’s requirement for Exhibit 300s is narrower than DOI’s. • OMB only requires a PIA for systems that maintain information on individuals WHO ARE MEMBERS OF THE PUBLIC.
Understanding the Privacy Impact Assessment (PIA) OMB’s Requirement for Exhibit 300s • OMB has explained that General Support Systems would require a PIA when it “maintains” information on individuals (i.e., collects, stores, uses, disposes of the information). • In regard to networks, if these are just conduits of information and not “maintained” in regard to the above – a PIA is not required.
Understanding the Privacy Impact Assessment (PIA) OMB’s Requirement for Exhibit 300s • OMB is NOT interested in the DOI “preliminary reviews” or PIAs done for systems that maintain information on employees (optional) • Mark “No PIA” when there is found to be no information on individuals in the system (Remember – the “preliminary review” is NOT a PIA)
Understanding the Privacy Impact Assessment (PIA) References • OMB Memo of 9/26/03 (M-03-22) on implementing the Privacy Provisions of the E-Government Act • OCIO Directive of 10/18/02 on implementing PIAs • Privacy reference material on the DOI Privacy Program Webpage – www.doi.gov/ocio/privacy