Understanding the privacy impact assessment pia
This presentation is the property of its rightful owner.
Sponsored Links
1 / 10

Understanding the Privacy Impact Assessment (PIA) PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on
  • Presentation posted in: General

Understanding the Privacy Impact Assessment (PIA). Introduction The PIA is a checklist or tool to ensure that new or modified electronic collections of information on individuals: - Are evaluated for privacy risks.

Download Presentation

Understanding the Privacy Impact Assessment (PIA)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Understanding the privacy impact assessment pia

Understanding the Privacy Impact Assessment (PIA)

Introduction

The PIA is a checklist or tool to ensure that new or modified electronic collections of information on individuals:

- Are evaluated for privacy risks.

- Are designed with Privacy Act life cycle management requirements (collection, maintenance, use, safeguards and records scheduling).

- Ensure that appropriate privacy protection measures are in place.


Understanding the privacy impact assessment pia1

Understanding the Privacy Impact Assessment (PIA)

When do you Complete a PIA?

  • At different stages of a project’s life cycle -each phase may have new privacy risks.

  • When collecting information from websites (eforms, surveys, etc)


Understanding the privacy impact assessment pia2

Understanding the Privacy Impact Assessment (PIA)

When Do You Submit Copies?

  • DOI IT Security Asset-Valuations

  • DOI IT Security Certification and Accredidations

  • OMB Exhibit 300s

  • Identify on websites collecting information from the public

  • Identify in Privacy Act system of records notice in the Federal Register

  • Identify in OMB Information Collection Clearance packages


Understanding the privacy impact assessment pia3

Understanding the Privacy Impact Assessment (PIA)

DOI Requirements

  • DOI’s PIA requirements extend to all systems that contain information on individuals (includes systems with information on BOTH employees and members of the public)

    (OMB’s provides option in (OMB - M-03-22)).

  • DOI requires that all systems perform a “preliminary review” for information on individuals - DON’T CONFUSE THIS WITH DOING A COMPLETE PIA


Understanding the privacy impact assessment pia4

Understanding the Privacy Impact Assessment (PIA)

DOI Requirements

  • The “preliminary review” is documentation to verify that we’ve looked at all systems to determine if they maintain information on individuals (keep it with the metadata).

  • Doing this “preliminary review” (completing The PIA template questions up to B.1.a.) will help you to determine if you need to continue on and complete the PIA.


Understanding the privacy impact assessment pia5

Understanding the Privacy Impact Assessment (PIA)

DOI Requirements

  • If you determine that there is no information on individuals in the system then there is no point in completing the rest of the PIA document.


Understanding the privacy impact assessment pia6

Understanding the Privacy Impact Assessment (PIA)

OMB’s Requirement for

Exhibit 300s

  • OMB’s requirement for Exhibit 300s is narrower than DOI’s.

  • OMB only requires a PIA for systems that maintain information on individuals WHO ARE MEMBERS OF THE PUBLIC.


Understanding the privacy impact assessment pia7

Understanding the Privacy Impact Assessment (PIA)

OMB’s Requirement for

Exhibit 300s

  • OMB has explained that General Support Systems would require a PIA when it “maintains” information on individuals (i.e., collects, stores, uses, disposes of the information).

  • In regard to networks, if these are just conduits of information and not “maintained” in regard to the above – a PIA is not required.


Understanding the privacy impact assessment pia8

Understanding the Privacy Impact Assessment (PIA)

OMB’s Requirement for

Exhibit 300s

  • OMB is NOT interested in the DOI “preliminary reviews” or PIAs done for systems that maintain information on employees (optional)

  • Mark “No PIA” when there is found to be no information on individuals in the system (Remember – the “preliminary review” is NOT a PIA)


Understanding the privacy impact assessment pia9

Understanding the Privacy Impact Assessment (PIA)

References

  • OMB Memo of 9/26/03 (M-03-22) on implementing the Privacy Provisions of the E-Government Act

  • OCIO Directive of 10/18/02 on implementing PIAs

  • Privacy reference material on the DOI Privacy Program Webpage –

    www.doi.gov/ocio/privacy


  • Login