INTERIM GUIDANCE 1603-1
September 26, 2006
SUBJECT: Initial Privacy Reviews and Privacy Impact Assessments
TO: Office Heads, Staff Directors, ISOO, NHPRC, OIG
1. What is the purpose of this directive?
This directive provides procedures and requirements for completing Initial Privacy Reviews (IPRs) and Privacy Impact Assessments (PIAs). NARA requires that all information systems and information collections complete an IPR, which determines if a PIA is necessary. In accordance with the privacy provisions of the E-Government Act of 2002 and implementing Office of Management and Budget (OMB) guidance, PIAs are required for all information technology (IT) systems and information collections that contain personally identifiable information (PII).
2. What is the authority for this directive?
a. Federal Statutes
(1) 44 U.S.C. 2108 of the Federal Records Act;
(2) Privacy Act (5 USC 552a, as amended);
(3) Freedom of Information Act (5 U.S.C. 552, as amended);
(4) Federal Information Security Management Act of 2002 (PL 107-347);
(5) E-Government Act of 2002 (44 U.S.C. 36);
(6) Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.);
(7) Information Technology Management Reform Act (40 U.S.C. 1401 through 1503, Clinger-Cohen Act of 1996).
b. OMB Issuances
(1) OMB Circular A-130, "Management of Federal Information Resources;"
(2) OMB Memorandum M-03-22, "Implementing the Privacy Provisions of the E-Government Act;"
(3) OMB Memorandum M-06-15, "Safeguarding Personally Identifiable Information,"
(4) OMB Memorandum M-06-16, "Protecting Sensitive Agency Information."
c. Internal Directive-NARA 804, "Information Technology (IT) Systems Security."
3. To whom does this guidance apply?
This policy applies to all NARA employees, contractors, Foundation staff and Foundation funded employees, interns, volunteers, detailees, and others who are responsible for the development and maintenance of NARA IT systems as well as offices responsible for initiating information collections.
4. Definitions
The following definitions apply to the terms used in this directive.
a. Information Technology (IT) - any equipment, software, or interconnected system or subsystem that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.
b. Information Technology (IT) Privacy - the protection of personally identifiable information (PII) that is collected from individuals through information collection activities or from other sources and that is maintained by NARA in its information technology (IT) systems.
c. Initial Privacy Review (IPR) - an initial assessment of an IT system to determine if it contains personally identifiable information. IPRs should also be used to determine if personally identifiable information exists in a newly modified system.
d. Personally Identifiable Information (PII) - any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.
e. Privacy Impact Assessment (PIA) - an analysis of how information is handled:
(1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy;
(2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and,
(3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks to an individual.
5. Responsibilities
a. Chief Information Officer (CIO)
(1) provides oversight and technical assistance to all system owners during the IPR and PIA process;
(2) is the final approval authority for all PIAs; and
(3) transmits final PIAs to OMB consistent with OMB instructions. The Assistant Archivist for Information Services (NH) serves as NARA's CIO.
b. Senior Agency Official for Privacy is responsible for ensuring that personally identifiable information (PII) contained in NARA IT systems is effectively protected and secured. The General Counsel (NGC) serves as NARA's Senior Agency Official for Privacy. Specific responsibilities include:
(1) Developing IPR and PIA templates and instructions on how to complete them;
(2) Providing guidance and assistance on meeting OMB and NARA privacy requirements;
(3) Reviewing and analyzing each IPR and PIA so that a recommendation for approval can be made to the CIO; and,
(4) Publishing approved PIAs on the NARA web site.
c. Chief Information Security Officer (CISO) is responsible for managing the NARA IT Security Program, with the mission and resources to ensure agency compliance with FISMA and other government-wide IT security policies through the development, implementation, and management of NARA IT systems. The CISO works with system owners and the Senior Agency Official for Privacy to resolve technical issues that impact on privacy. Director, IT Security Programs (NHI) serves as NARA's CISO.
d. Inspector General evaluates and provides recommendations for NARA PIA compliance in accordance with FISMA and related laws and regulations.
e. Office heads/staff directors, Presidential library directors, and regional administrators ensures compliance with this policy within their respective offices.
f. System administrators implements, operates, and monitors all NARA IT systems in conformance with established protocols to ensure that personally identifiable information is only accessed by appropriate staff who need access to that information to perform their work.
g. System managers - are responsible for managing personally identifiable information found in Privacy Act systems of records.
h. System owners are responsible for completing IPRs to determine if an IT system contains personally identifiable information. If the IPR results in the need for a PIA, the system owner is responsible for ensuring that the PIA is submitted to the Senior Agency Official for Privacy for review and approval. The system owner also monitors compliance with security and privacy provisions in each PIA for each IT system under his or her authority.
i. System Users are responsible for adhering to the terms of NARA acceptable use policy (see NARA 802, Appropriate Use of NARA Office Equipment) and all other privacy and security requirements.
6. What systems are covered by this directive?
This directive applies to all NARA information systems and new electronic information collections in identifiable form for 10 or more persons (excluding agencies, instrumentalities, or employees of the federal government).
7. What systems need an IPR?
System owners of all NARA IT systems and staff responsible for NARA initiated information collections must complete an IPR. The IPR helps determine if personally identifiable information is collected, used or maintained within an IT system. A Privacy Impact Assessment (PIA) must be completed for all IT systems and information collections that are found to contain personally identifiable information.
8. Why are IT system owners required to complete Privacy Impact Assessments (PIAs)?
OMB Memorandum M-03-22 mandates that agencies use PIAs to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system. Agencies also use PIAs to identify and evaluate protections and alternative processes that can be used to mitigate the impact to privacy on collecting information in identifiable form.
9. What must the PIA address?
The PIA must evaluate:
a. The type of personally identifiable information in a system (including any ability to combine multiple identifying elements on an individual);
b. Who has access to that information (whether full access or limited access rights); and
c. What administrative controls are in place to ensure that only information that is necessary and relevant to NARA's mission is maintained in the system.
10. When should a PIA be conducted?
A PIA must be conducted after an IPR identifies that an IT system or information collection contains personally identifying information. PIAs are required for all NARA owned IT systems; when such systems are significantly modified; or when a new electronic collection of personally identifiable information is being proposed. System owners contact NGC for further guidance.
11. For what IT systems must a PIA be completed?
Complete a PIA when:
a. A paper based records system is converted to an electronic system;
b. An existing electronic system is modified so that previously anonymous information becomes identifiable;
c. New uses of an existing IT system, such as the application of new technologies, significantly change how personally identifiable information is managed in the system;
d. Databases holding personally identifiable information are merged, centralized, matched with other databases, or otherwise significantly manipulated;
e. User-authenticating technology (e.g., password, digital certificate, or biometric) is newly applied to an electronic information system accessed by members of the public;
f. Alteration of a business process results in significant new uses, disclosures of information, or incorporation into the system of additional items of personally identifiable information;
g. New personally identifiable information that is added to the system increases the risks to personal privacy (e.g., the addition of medical or financial information);
h. A system with personally identifiable information is relocated to a remote site or a facility not under the direct control of NARA (e.g., a contractor's processing facility); or,
i. Initiating, consistent with the Paperwork Reduction Act, a new or significantly revised electronic collection of information in identifiable form for 10 or more persons.
12. When is a PIA not required?
If a completed IPR determines that no PII exists within the IT system or information collection, a PIA is not required. A PIA is not required when information relates to internal government operations, has been previously assessed under an evaluation similar to a PIA, or where privacy issues are unchanged. The following circumstances may not require the completion of a PIA:
a. For NARA-run web sites, IT systems, or collections of information that do not collect or maintain personally identifiable information;
b. For government-run public web sites where the user is given the option of contacting the site operator for the limited purpose of asking questions or providing comments;
c. For national security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology;
d. When all elements of a PIA are addressed in an interagency agreement permitting the merging of data for strictly statistical purposes and where the resulting data are protected from improper disclosure and use under Title V of the E-Government Act;
e. When system owners are developing IT systems or collecting non-personally identifiable information for a discrete purpose that does not involve matching with or retrieval from other databases that generate personally identifiable information;
f. For minor changes to an IT system or collection that do not create new privacy risks; or,
g. For legacy systems and currently operational systems unless a major upgrade or significant change relative to the content or protection of data within the system is anticipated, and the system contains personally identifiable information.
13. What must the PIA cover?
The PIA is an analysis of how personally identifiable information is handled, including the physical and technical safeguards that are in place to protect such information from inappropriate disclosure. NARA offices writing PIAs for NARA IT systems and information collections must answer all the questions in the PIA template provided in appendix B.
14. How much information needs to be included in the PIA?
The depth and content of the PIA must reflect the size and nature of the information system being assessed, the sensitivity of the information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information. For example, PIA statements for major information systems must reflect a more extensive analysis of the consequences of the collection and flow of information; the alternatives to collection and handling as designed; privacy risk mitigation measures for each alternative; and, the rationale for the final design choice or business process.
15. What is the relationship between the PIA and requirements under the Paperwork Reduction Act (PRA) and the Privacy Act?
a. Pursuant to the Paperwork Reduction Act (PRA), all new information collections subject to the PRA must be submitted to OMB for review and approval. NARA units undertaking new information collections using electronic means for collecting, processing, or storing the information must conduct an IPR. If the results of the IPR indicate that a PIA is required, the resulting PIA statement must be submitted to OMB along with the information collection request (ICR) unless PIA has already been submitted to OMB as part of the business case development process.
b. NARA units are not required to conduct a new PIA for simple renewal requests for information collections under the PRA. However, units must separately consider the need for a PIA when amending an ICR to collect information that is significantly different in character from the original collection. Please see NARA 108, Information Collection, for additional information.
16. What are the requirements for developing or amending a Privacy Act notice?
NARA system managers must complete an IPR when developing or amending a system of records (SOR) notice required under the Privacy Act. If the result of an IPR is a PIA, follow the same procedures outlined in pars. 9, 13, and 14.
17. What is the process for review and publication of the PIA?
When a system owner conducts a PIA, he or she sends the resulting draft PIA statement to the Senior Agency Official for Privacy for review. The Senior Agency Official for Privacy and the NARA Privacy Act Officer review the PIA, and consult with the system owner or system manager to resolve any concerns. When concerns are resolved, the CIO, with the concurrence of the Senior Agency Official for Privacy, provides final approval and submits OMB-mandated PIA statements addressing personally identifiable information to OMB for review.
18. What is the process for review of the Initial Privacy Review?
When a system owner conducts an IPR and determines that the IT system or information collection evaluated does not contain personally identifiable information, he or she must sign the IPR and submit it to the Chief Information Security Officer and the Senior Agency Official for Privacy for review and approval. The Senior Agency Official for Privacy transmits the IPR to the CIO for final approval.
19. How are PIAs disclosed to the public?
Appendix A, Section II, C3 of OMB memo M-03-22, "Implementing the Privacy Provisions of the E-Government Act," requires that PIAs or summaries be publicly available. Accordingly, the Senior Agency Official for Privacy facilitates the publication of all approved PIAs on the NARA web page, http://www.archives.gov/foia/privacy-program/privacy-act/.
20. How are records created by this directive maintained under the NARA records schedule?
a. NGC and senior agency Privacy Act official maintain records under file no. 1103-6.
b. System managers, system owners, CISSO and staff maintain records under file no. 812, Oversight and Compliance File or 814-1, Financing of IT Resources and Services, as appropriate.
c. NHI [IT Security Staff] maintains records under NARA file no. 830-2, "Documents identifying IT risks ..."
d. NH [CIO] maintains the official record copy in accordance with NARA 801-2, par. 13.
21. Who can provide additional information on this policy?
For questions regarding this interim guidance, contact Gary M. Stern (NGC) in room 3110, AII; on 301-837-1750, by fax on 301-837-0293; or by e-mail at garym.stern@nara.gov.
22. Where should I file this interim guidance?
File this interim guidance with NARA 1603, Access to Records Under the Privacy Act.
Susan Ashtianie
Director
Policy and Planning Staff
PDF files require the free Adobe Reader.
More information on Adobe Acrobat PDF files is available on our Accessibility page.
