Privacy Impact Assessments (PIAs)
Title II and III of the E-Government Act of 2002 [PDF] requires agencies to assess the impact on privacy for systems that collect personally identifiable information (PII). The tool by which agencies perform this assessment is a privacy impact assessment (PIA). The Office of Management and Budget (OMB) guidance for implementing the privacy provisions of the E-Government Act is provided in OMB Memorandum M-03-22. In addition to performing this assessment, agencies are required to make the PIA publicly available. A list of NIH PIAs that collect information on members of the public can be found on the HHS public website.
Privacy Incidents and Breach Response
According to OMB Memorandum M-17-12, agencies must have stringent breach notification and response policies. A breach involves the loss of control, compromise, unauthorized disclosure, or unauthorized acquisition of personally identifiable information (PII). Report any lost, stolen, or compromised NIH information or equipment within one hour of discovery to the NIH IT Service Desk:
- Phone Number: (301) 496-HELP (4357)
Privacy Act
The Privacy Act balances the Government’s need to maintain information about individuals with the rights of those individuals to be protected from unwarranted invasions of their privacy. Government agencies must handle personally identifiable information (PII) maintained in a system of records in accordance with the Privacy Act and provide individuals access to records about them upon request.
How to Make a Privacy Act Request
Individuals can request access to their records by filling out the HHS Privacy Act Access Request and Consent Form or submitting a letter via mail with the same information. Send the request to:
NIH Privacy Act Officer
National Institutes of Health
6705 Rockledge Dr
Suite 601
Bethesda, MD 20892
For email requests, send to the NIH Privacy Act Officer at privacy@mail.nih.gov with the subject line: "Privacy Act Request." DO NOT attach any documents or sensitive information to your email request. The NIH Privacy Act Officer will reach out using a secure method to obtain this information from you.
How to Submit a Privacy Act Request Appeal
If your Privacy Act request is denied, you have the right to file an appeal. To appeal a denied request, submit a written request via mail to:
NIH Privacy Act Officer
National Institutes of Health
6705 Rockledge Dr
Suite 601
Bethesda, MD 20892
For email appeals, send to the NIH Privacy Act Officer at privacy@mail.nih.gov with the subject line: "Privacy Act Appeal." DO NOT attach any documents or sensitive information to your email request. The NIH Privacy Act Officer will reach out using a secure method to obtain this information from you.
How to Submit a Privacy Complaint
To report a privacy violation or unfair practice, submit a written request via mail to:
NIH Privacy Act Officer
National Institutes of Health
6705 Rockledge Dr
Suite 601
Bethesda, MD 20892
For email complaints, send to the NIH Privacy Act Officer at privacy@mail.nih.gov with the subject line: "Privacy Act Complaint." DO NOT attach any documents or sensitive information to your email request. The NIH Privacy Act Officer will reach out using a secure method to obtain this information from you.