Privacy Impact Assessments
The requirement for PIAs originated in the Electronic Government (E-Gov) Act of 2002, and was further clarified in Office of Management and Business OMB Memorandum (M) 03-22, "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002."
The PIA is an integral part of risk management. A PIA form creates an opportunity for organizations to anticipate and address the likely impacts of new initiatives, to foresee problems and identify what needs to be done to design features that minimize any impact on privacy and/or to find less privacy intrusive alternatives. The PIA process helps the public understand what information the organization is collecting, why the information is being collected, how the information will be accessed, used, shared, and securely stored. It demonstrates that the organization has critically analyzed how the project will deal with personal data. Thus, a PIA promotes a more fully informed decision-making process.
The E-Gov Act requires that PIAs be conducted on all new Federal systems collecting information in identifiable form, which means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
Title III of the E-Gov Act is referred to as the Federal Information Security Management Act (FISMA). It requires that the agency conduct annual reviews of information security and privacy programs and report the results to OMB.
HHS requires PIAs to be conducted on all Information Technology (IT) systems and uses of Third-Party Websites and Applications (TPWAs). HHS also requires quarterly reviews and annual FISMA reports.
PIAs are required for:
-
All FISMA Reportable Electronic Systems(these include General Support Systems, Major Applications and Minor Stand-Alone Applications owned/operated by the NIH or operated on behalf of the agency including those internally hosted at the NIH or externally hosted (i.e., hosted off-site by commercial vendors/contractors, including cloud-based systems)).
-
All Uses of Third-Party Websites and Applications (TPWAs) (these include Web-based technologies that are not exclusively operated or controlled by a government entity, or web-based technologies that involve significant participation of a nongovernment entity. Often these technologies are located on a “.com” website or other location that is not part of an official government domain. However, third-party applications can also be embedded or incormporated on an agency's official website).
-
All Surveys that contain/process PII and Sensitive Information (these include online surveys, employee surveys that ask non-work related information, and those included as part of an OMB request for clearance under the Paperwork Reduction Act to survey 10 or more members of the public in order to evaluate a program, etc.).
A PIA must be completed before an IT system is operational, a third-party website or application account is created and a survey is launched. Since a PIA is an analysis of how information is handled, it ensures handling conforms to applicable legal, regulatory, and policy requirements regarding privacy determines the risks and effects of collecting, maintaining, and disseminating information in identifiable form; and examines and evaluates protections and alternative processes for handling information to mitigate potential privacy risks.
To add a new IT system, TPWA or survey to the NIH Inventory, or receive assistance in completing a PIA, contact your NIH IC Privacy Coordinator or the NIH Privacy Program via email at privacy@mail.nih.gov