Privacy Impact Assessments

• Overview and Requirements
• Policies and Procedures
• Roles and Responsibilities
• Education and Outreach
• Frequently Asked Questions
• Definitions
• References

Overview and Requirements

A privacy impact assessment (PIA) is a tool designed to assist agencies with ensuring that they have considered all privacy safeguards necessary for the protection of personally identifiable information (PII) collected, maintained, passed through, or disseminated by, the electronic (or IT) system. The requirement for PIAs originated in the E-Government Act of 2002, and was further clarified in OMB M03-22, "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002."

The E-Gov requires that PIAs be conducted on all new Federal systems collecting information in identifiable form, which means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

The Department of Health and Human Services requires PIAs to be conducted on all IT systems, regardless of whether or not they collect information in identifiable form. The E-Gov Act does not limit its coverage only to U.S. persons; instead it focuses on information systems. Thus, the E-Gov Act requires that in information system be analyzed for privacy risks based on the architecture of the system itself and its associated collections, and uses, without regard to whom the system covers.

The documented process allows system owners to identify and protect employee and public citizens’ PII. Further, NIH policy for PIAs establishes roles and responsibilities among NIH privacy stakeholders for the completion and review of PIAs.

The PIA process requires agencies to:

• Oversee the accurate completion of all agency PIAs, using the Security and Privacy Online Reporting Tool (SPORT), formerly known as ProSight FISMA, to ensure the protection of PII; and
• Report on PIA completion and other related information to HHS and the Office of Management and Budget (OMB) for Federal Information Security Management Act (FISMA) reporting.

The SPORT Tool is an electronic portfolio management system used by all HHS Operating Divisions (OPDIVs) to automate processes in support of quarterly and annual Federal Information Security Management Act (FISMA) reporting to OMB. In support of FISMA privacy management, the SPORT Tool enables NIH privacy stakeholders to view and modify privacy impact assessments (PIAs) associated with their respective Institute or Center (IC).

SPORT Tool requires:

• System Owners/Managers (or a designee) to contact ProSight FISMA Accounts email group at psfisma@mail.nih.gov to request that the system designation be established in the SPORT Tool;
• Users to provide the IC, system name, and acronym for the system;
• Designated PIA authors and reviewers (i.e. System Owners/Managers, IC Privacy Coordinators, Information Systems Security Officers (ISSOs), Executive Officers (EOs), or Administrative Officers (AOs)) to be granted access to SPORT Tool through the ProSight FISMA Accounts email address (see above); and

PIA authors are to complete all necessary PIA tabs and answer all questions thoroughly and appropriately (see NIH PIA Guide, Section VI).

Policies and Procedures

NIH Manual 1745 - NIH Information Technology (IT) Privacy Program:
http://www3.od.nih.gov/oma/manualchapters/management/1745/

NIH Manual 1745-1 - NIH Privacy Impact Assessments:
http://www3.od.nih.gov/oma/manualchapters/management/1745-1/

NIH PIA Guide:
http://oma.od.nih.gov/ms/privacy/NIHPIAGuide.doc

Roles and Responsibilities (e.g., POCs)

NIH Manual 1745-1 - NIH Privacy Impact Assessments:
http://www3.od.nih.gov/oma/manualchapters/management/1745-1/

Education and Outreach

NIH PIA Training Presentation:
Color - http://oma.od.nih.gov/ms/privacy/Training2008.ppt
Black and White - http://oma.od.nih.gov/ms/privacy/Training2008bw.ppt

NIH Privacy Awareness Training:
http://irtsectraining.nih.gov

The Department of Health and Human Services (HHS) Security and Privacy Training Website:
http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/awarenesstraining.html

HHS PIA Training:
http://oma.od.nih.gov/ms/privacy/Privacy_Impact_Assessment_SOP_Final_02102009.doc

Frequently Asked Questions (FAQs)

1. What is a PIA?

• A means to assure compliance with applicable privacy laws and regulations;
• An evaluation tool used to embed privacy into the design of information technology (IT) systems;
• An analysis instrument to enable system developers and system owners/managers to identify and evaluate privacy risks; and
• A tool that evaluates:
  • Data in the IT System;
  • Attributes of the Data;
  • Access to the Data;
  • Information Sharing Practices;
  • Web Site Host; and
  • Maintenance of Administrative & Technical Controls
• Parts of a PIA include:
  • Date of Submission;
  • Agency/OPDIV/IC;
  • Title of System;
  • Existing, New or Modified?;
  • Unique Project Identifier;
  • System of Records Number;
  • OMB Info Collection Approval Number & Expiration Date;
  • Other Identifier;
  • System Overview;
  • Legislative Authority;
  • How will information be collected?;
  • How will IC use the information?;
  • Why is information collected?;
  • With whom will the information be shared?;
  • From whom will the information be collected?;
  • What will subjects be told about the collection?;
  • How will the message be conveyed?;
  • What are opportunities for consent?;
  • Will information be collected from children under 13 on the internet? If so, how will parental approval be obtained?;
  • How will information be secured?; and
  • How will information be retained and destroyed?

2. Why do we conduct PIAs?

• To help determine what type of information is collected by IT systems throughout NIH;
• To decide which precautions need to be implemented to protect such information;
• To provide privacy stakeholders an orderly process in which they can report IT system collected information to the SOP; and
• To have an orderly process for submitting IT system information related to privacy for FISMA reporting.

3. Who is responsible for the PIA process?

• The PIA process is a collaborative one, and involves multiple stakeholders;
• Those with the most knowledge and insight into a system, its characteristics, and the privacy and security controls in place should complete the PIA. This can include a System Owner/Manager or program official. PIA authors can also consult with the IC Privacy Coordinator and Information System Security Officer (ISSO);
• Once the PIA is completed by the PIA author, it is sent to the PIA Reviewer for their review and comments. The PIA Reviewer role should be assigned to the IC Privacy Coordinator or a designee. If no revisions are required, the PIA Reviewer can promote the PIA to the NIH OSOP; and
• The OSOP reviews completed PIAs and promotes them to the HHS SAOP, if complete and accurate, or returns the PIA to the IC Privacy Coordinator if it is incomplete or requires changes.

4. When do I fill out the entire PIA vs. the PIA Summary?

• If the system for which the PIA is being completed collects PII, the entire PIA form must be completed. If it does NOT collect PII, you only need to complete the PIA Summary tab; and
• NOTE: If you are working to complete the PIA Summary, you must clearly explain why/how the system does not collect PII.

5. How do I determine if a system collects PII?

• PII is defined as any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual;
• If any of these, or any other categories of information that can be linked to an individual, are stored, maintained, passed through, or disseminated by the system, the system collects PII; and
• IC Privacy Coordinators should be able to validate whether or not a system collects PII based on the information provided to them by System Owners/Managers.

6. Must I complete a new PIA for an existing IT system each year?

• A new PIA is not required if information has been previously assessed under a similar evaluation, or if the system has not undergone any major changes as defined in OMB M03-22; and
• All existing PIAs must be reviewed for accuracy each year.

7. Are there any quick tips that would make PIA completion easier?

• Consult with other privacy stakeholders as appropriate (e.g. IC Privacy Coordinator, IC Chief Information Officer and ISSOs) when questions about PIAs, privacy, or other questions arise;
• Ensure that your answers are accurate and complete (specifically answer the questions, provide sufficient detail, spell out acronyms, check spelling etc.);
• Remember that PIAs are published to a public website;
• Avoid contradicting answers. For example, do not deny that the system collects Social Security Numbers (SSN) and then later claim that the system retrieves information using SSN;
• System Owners/Managers should work with IC Privacy Coordinators and ISSOs early in the SDLC to ensure that the PIA process is properly incorporated;
• Know the business objective of the system; and
• Know the difference between privacy and security

8. Does the FISMA Tool inform the OSOP when I update/promote a PIA?

• No. The FISMA Tool does not inform the OSOP when any changes are made to a PIA. System Owners/Managers and IC Privacy Coordinators should alert the OSOP when a PIA has been updated/promoted. This will improve the NIH’s PIA process and increase its efficiency.

PIA Form FAQs

9. What is a Unique Project Identifier (UPI) Number and how can I find one?

• The UPI Number is used to report IT investments during the budget process and ensure the integration of strategic planning, budgeting, procurement, and the management of IT investments in support of the agency’s mission and business needs. It reflects information such as the OPDIV and office where the investment project was initiated, the type of investment, and other information. The UPI is used by OMB to track the system through the PIA, C&A, and POA&M processes. The number is attached to Exhibit 53s and described in Exhibit 300s, which are submitted to OMB prior to major investment and budget requests. The number is long and appears as follows: 009-25-xx-xx-xx-xxxx-xx-xxx-xxx (Defined in OMB A-11, Sedction 53.8). If you are not sure if a UPI is associated with the system for which you are conducting a PIA, please contact the Project Officer. If he/she is not able to assist you, contact the OCIO IT Policy and Review Office (ITPRO), the OCIO Information Technology Acquisition Services Office (ITASO) or the OCIO Information Security and Awareness Office (ISAO);
• 2008 UPI means the unique project identifier used to report the investment in the 2008 Budget. Indicating the UPI used for the 2008 Budget process allows crosswalk and historical analysis crossing fiscal years for tracking purposes;
• 2009 UPI means the identifier depicting agency code, bureau code, mission area (where appropriate), part of the exhibit where investment will be reported, type of investment, agency four-digit identifier, and two-digit investment category code;
• NOTE: Not all systems require UPI numbers. If a UPI does not exist for a system, you must provide an explanation in the PIA form; and
• If you are unsure about the UPI, contact the Project Officer. If he/she is not able to assist you, contact the ODCIO IT Policy and Review Office (ITPRO), the ODCIO Information Technology Acquisition Services Office (ITASO), or the ODCIO Information Security and Awareness Office (ISAO).

10. What is a System of Records Notice (SORN) and where can I find one?

• A SORN describes the Privacy Act system of records, and the categories of PII collected, maintained, retrieved, and used within the system. It provides information to the public on various characteristics of the system (e.g. description, purpose, data collection, notification, retention and disposal, etc.) and how NIH intends to manage and protect the system. The SORN Number is that which is assigned to the Privacy Act SORN (also referred to as the Systems Notice)
  NOTE: If the system is subject to the Privacy Act, then a SORN must be cited as an answer in question 4; and
• All NIH SORNs are located at:
  http://oma.od.nih.gov/ms/privacy/pa-files/read02systems.htm

11. What is an OMB Information Collection Approval Number?

• The Paperwork Reduction Act (PRA) of 1995 requires agencies to obtain approval from OMB prior to soliciting and/or obtaining identical information from ten or more members of the public in multiple forms. PRA/OMB approval is required whether the Federal agency collects the information itself or uses an outside agent or contractor. OMB requires 90-120 days to approve new information collections and renew existing approvals. The OMB Information Collection Approval Number should be identical to the one OMB assigned pursuant to having been filed under the Paperwork Reduction Act and is sometimes referred to as an OMB control number. It would only apply if the system maintains data as part of an approved OMB information collection from 10 or more members of the general public; and
• You can click on the Office of Extramural Research (OER) Intranet website at: http://odoerdb2.od.nih.gov/oer/policies/project_clearance/pcb.htm to obtain a list of NIH PRA/OMB Project Clearance Liaisons, and get more information about whether your IT system has been approved for PRA/OMB information collection.

12. Are there policies or guidelines in place with regard to the retention and destruction of PII?

• For Privacy Act systems of records, records retention and disposal procedures should be indicated within the SORN cited for the system. If the system is not subject to the Privacy Act and does not have a SORN in place, consult with the IC Records Liaison to ascertain the appropriate records retention and disposal schedule for the system. A list of IC Records Liaisons can be accessed from OMA’s webpage at: http://oma.od.nih.gov/about/contact/browse.asp?fa_id=2

Definitions

Accreditation: The formal declaration by the DAA that a major application or general support system is granted approval to process using a prescribed set of safeguards in a specific operational environment. The accreditation decision is made on the basis of a certification by designated technical personnel that the system meets prespecified technical requirements for achieving adequate security after the implementation of an agreed upon set of security controls. (See also: certification.) (Defined in NIST SP 800-18, Appendix D.)

Certification: A comprehensive analysis of the management, operational, and technical security controls in an information system, application, or network design, to establish the extent to which an implementation meets a set of pre-specified security requirements. This evaluation, made in support of the security accreditation process, determines the effectiveness of these security controls in a particular environment of operation and the remaining vulnerabilities in the information system after the implementation of such controls. (See also: accreditation) (Defined in NIST SP-37, Annex B.)

Information in Identifiable Form (IIF): Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
(Defined in the E-Government Act of 2002, Public Law 107-347, Title II and III).

Information in an information system or online collection:

• That directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc); or
• By which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic identifier, and other descriptors). (Defined in OMB Memorandum M-03-22, Guidance for Implementing Privacy Provisions of the E-Government Act of 2002).

Note: The acronyms IIF and PII are often used interchangeably

Major Change: Any change that is made to the system environment or operation of the system. According to OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, PIAs should be conducted following any major changes, including, but not limited to

• Conversions: A conversion from paper-based methods to electronic systems;
• Anonymous to Non-Anonymous: When the system’s function, as applied to an existing information collection, changes anonymous information into IIF;
• Significant System Management Changes: In the case that new uses of an existing IT system, including application of new technologies, significantly change the process of managing IIF in the system;
• Significant Merging: When agencies adopt or alter business processes so that government databases holding IIF are merged, centralized, matched with other databases, or otherwise significantly manipulated;
• New Public Access: When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system, which can be accessed by the public;
• Commercial Sources: When IIF is obtained from commercial or public sources and is systematically integrated into the existing information systems databases;
• New Interagency Uses: When agencies work together on shared functions involving significant new uses or exchanges of IIF;
• Internal Flow or Collection: When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional IIF; and
• Alteration in Character of Data: When new IIF added to a collection raises the risk to personal privacy, such as the addition of health or privacy information.

(Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. (Defined in OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments).

Note: The acronyms PII and IIF are often used interchangeably.

Plan of Action and Milestones (POA&M): A tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task, and scheduled completion dates for the milestones. The purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. The purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. (Defined in OMB Memorandum (M) 02-01.)

Privacy Impact Assessment (PIA): A methodology that provides information technology (IT) security professionals with a process for assessing whether appropriate privacy policies, procedures, and business practices—as well as applicable administrative, technical and physical security controls—have been implemented to ensure compliance with federal privacy regulations. (Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Sensitive Information: Information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Further, the loss of sensitive information confidentiality, integrity, or availability might: (i) cause a significant or severe degradation in mission capability to an extent and duration that the organization is unable to perform its primary functions; (ii) result in significant or major damage to organizational assets; (iii) result in significant or major financial loss; or (iv) result in significant, severe or catastrophic harm to individuals that may involve loss of life or serious life threatening injuries. (Defined in HHS Memorandum ISP-2007-005, "Departmental Standard for the Definition of Sensitive Information").

System: A collection of computing and/or communications components and other resources that support one or more functional objectives of an organization. IT system resources include any IT component plus associated manual procedures and physical facilities that are used in the acquisition, storage, manipulation, display, and/or movement of data or to direct or monitor operating procedures. An IT system may consist of one or more computers and their related resources of any size. The resources that comprise a system do not have to be physically connected. (Defined in NIST SP 800-16, Appendix C.).

System Development Life Cycle (SDLC): A software development process that is used by a systems analyst to develop and maintain an information system. This process includes five system phases: Initiation, acquisition/development, implementation/assessment, operation/maintenance, and disposition. (Defined in NIST SP 800-34, Appendix E.)

Vulnerability: A flaw or weakness in the design or implementation of an information system (including the security procedures and security controls associated with the system) that could be intentionally or unintentionally exploited to adversely effect an organization’s operations or assets through a loss of confidentiality, integrity, or availability (Defined in NIST SP 800-53, Appendix B.)

References

Privacy Act of 1974 (5 U.S.C. Section 552a, as amended):
http://www.usdoj.gov/oip/privstat.htm
http://www.usdoj.gov/oip/04_7_1.html

The E-Government Act of 2002 (see Title II, Section 208 for privacy provisions):
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf

Computer Matching and Privacy Act of 1988:
http://www.usdoj.gov/oip/1974compmatch.htm

Paperwork Reduction Act:
http://www.archives.gov/federal-register/laws/paperwork-reduction/

Circular No. A-130:
http://63.161.169.137/omb/circulars/a130/a130.html

Memorandum M-03-22 issued by OMB in September 2003:
http://www.whitehouse.gov/omb/memoranda/m03-22.html

Memorandum M-04-24 issued by OMB in August 2004:
http://www.whitehouse.gov/omb/memoranda/fy04/m04-24.html

Memorandum M-05-15 issued by OMB in June 2005:
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html

Memorandum M-07-16 issued by OMB in May 2007:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf

Memorandum M-07-19 issued by OMB in July 2007:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-19.pdf

Memorandum M-08-09 issued by OMB in January 2008:
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-09.pdf

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60:
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

NIH, HHS, and Federal Privacy Act Systems of Records Notices (SORNs):
http://oma.od.nih.gov/ms/privacy/pa-files/read02systems.htm

HHS Information Security Program Policy:
http://intranet.hhs.gov/infosec/docs/policies_guides/ISPP/Information_Security_Program_Policy.doc

Information Security Program Privacy Policy (Memorandum):
http://intranet.hhs.gov/infosec/docs/policies_guides/ISPPM/Infosec_Program_Privacy_Policy_memo.doc

Plan of Action and Milestones (POA&M) Guide:
http://intranet.hhs.gov/infosec/docs/policies_guides/POAM/poam_toc.html

HHS PIA Policy:
http://www.hhs.gov/ocio/policy/20090001.001.html

The HHS PIA Guide:
http://intranet.hhs.gov/infosec/docs/policies_guides/PIA/PIA_TOC.htm

NIH PIA Guide:
http://oma.od.nih.gov/ms/privacy/NIHPIAGuide.doc

NIH PIA Training Presentation:
Color - http://oma.od.nih.gov/ms/privacy/Training2008.ppt
Black and White - http://oma.od.nih.gov/ms/privacy/Training2008bw.ppt

NIH Manual 1745-1 - NIH Privacy Impact Assessments:
http://www3.od.nih.gov/oma/manualchapters/management/1745-1/

SPORT Tool Information and Links:
https://ocio.nih.gov/nihonly/security/ProSight-FISMA-info.htm

Return to the top