1 / 9

Understanding the Privacy Impact Assessment PIA

Understanding the Privacy Impact Assessment (PIA). When do you Complete a PIA?At different stages of a project's life cycle -each phase may have new privacy risks.When collecting information from websites (eforms, surveys, etc). Understanding the Privacy Impact Assessment (PIA). When Do You Submit Copies?DOI IT Security Asset-ValuationsDOI IT Security Certification and AccredidationsOMB Exhibit 300sIdentify on websites collecting information from the publicIdentify in Privacy Act sy30080

vaughan
Download Presentation

Understanding the Privacy Impact Assessment PIA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Understanding the Privacy Impact Assessment (PIA) Introduction The PIA is a checklist or tool to ensure that new or modified electronic collections of information on individuals: - Are evaluated for privacy risks. - Are designed with Privacy Act life cycle management requirements (collection, maintenance, use, safeguards and records scheduling). - Ensure that appropriate privacy protection measures are in place.

    2. Understanding the Privacy Impact Assessment (PIA) When do you Complete a PIA? At different stages of a project’s life cycle -each phase may have new privacy risks. When collecting information from websites (eforms, surveys, etc)

    3. Understanding the Privacy Impact Assessment (PIA) When Do You Submit Copies? DOI IT Security Asset-Valuations DOI IT Security Certification and Accredidations OMB Exhibit 300s Identify on websites collecting information from the public Identify in Privacy Act system of records notice in the Federal Register Identify in OMB Information Collection Clearance packages

    4. Understanding the Privacy Impact Assessment (PIA) DOI Requirements DOI’s PIA requirements extend to all systems that contain information on individuals (includes systems with information on BOTH employees and members of the public) (OMB’s provides option in (OMB - M-03-22)). DOI requires that all systems perform a “preliminary review” for information on individuals - DON’T CONFUSE THIS WITH DOING A COMPLETE PIA

    5. Understanding the Privacy Impact Assessment (PIA) DOI Requirements The “preliminary review” is documentation to verify that we’ve looked at all systems to determine if they maintain information on individuals (keep it with the metadata). Doing this “preliminary review” (completing The PIA template questions up to B.1.a.) will help you to determine if you need to continue on and complete the PIA.

    6. Understanding the Privacy Impact Assessment (PIA) DOI Requirements If you determine that there is no information on individuals in the system then there is no point in completing the rest of the PIA document.

    7. Understanding the Privacy Impact Assessment (PIA) OMB’s Requirement for Exhibit 300s OMB’s requirement for Exhibit 300s is narrower than DOI’s. OMB only requires a PIA for systems that maintain information on individuals WHO ARE MEMBERS OF THE PUBLIC.

    8. Understanding the Privacy Impact Assessment (PIA) OMB’s Requirement for Exhibit 300s OMB has explained that General Support Systems would require a PIA when it “maintains” information on individuals (i.e., collects, stores, uses, disposes of the information). In regard to networks, if these are just conduits of information and not “maintained” in regard to the above – a PIA is not required.

    9. Understanding the Privacy Impact Assessment (PIA) OMB’s Requirement for Exhibit 300s OMB is NOT interested in the DOI “preliminary reviews” or PIAs done for systems that maintain information on employees (optional) Mark “No PIA” when there is found to be no information on individuals in the system (Remember – the “preliminary review” is NOT a PIA)

    10. Understanding the Privacy Impact Assessment (PIA) References OMB Memo of 9/26/03 (M-03-22) on implementing the Privacy Provisions of the E-Government Act OCIO Directive of 10/18/02 on implementing PIAs Privacy reference material on the DOI Privacy Program Webpage – www.doi.gov/ocio/privacy

More Related