FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
2 Freedom of Information Act (5 USC 552) Enacted in FOIA provides that any person has a right to obtain access to federal agency records, except to the extent that such records (or portions of them) are protected from public disclosure by one of nine FOIA exemptions or by one of three special law enforcement record exclusions. This right is enforceable in court.
3 What About State Records? The Federal FOIA does not provide access to records held by state or local government agencies, or by businesses or individuals. States have their own statutes governing public access to state and local records and they should be consulted for further information about them.
4 What is a Record Under FOIA? Any agency records are those created or obtained by NOAA and are, when the request is filed, in NOAA's possession and control Includes off-site storage Agency records can be in any format like print documents, photographs, videos, maps, e- mail and electronic records
5 Your Role in FOIA Keep records according to the schedule Attend FOIA Training Follow your office procedures Search for records when requested Provide copies of records when requested Review records for potentially protected information when requested Consult with General Counsel, as appropriate
6 Why is FOIA Processing Important? It’s the law FOIA is how the public gets copies of government records (Internet reducing number of requests) Reduces risk of appeals/related costs by complying with the regulations
7 What if I have to process a FOIA request? First, consult with your FOIA Liaison or Action Office Coordinator _contacts.html Second, review your organization’s FOIA SOPs Third, check out the NOAA Administrative Order (NAO for short) for FOIA ministrative_orders/chapter_205/ html
8 The Flow of a FOIA Request The request goes through intake before you see it The appropriate office(s) are tasked with conducting a search Records found are reviewed and redacted as appropriate The case is reviewed, approved, and records are released
Privacy Program Overview NOAA’s Privacy Program –All Federal Privacy Programs are receiving scrutiny, including OMB-driven data calls, and heightened attention to FISMA Systems processing PII, following the OPM Data Breach. –The Program ensures compliance with the Privacy Act of 1974 and ensures the collection and use of Personally Identifiable Information (PII) is in accordance with governing OMB guidance, DOC Policy, and NOAA Privacy Policy including the obligation to safeguard PIIPrivacy Act of 1974 OMB guidanceDOC PolicyNOAA Privacy Policy 9For Official Use Only
What is PII and BII? OMB M-7-16 Defines Personally Identifiable Information (PII) as information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. DOC IT Policy defines Business Identifiable Information (BII) as (a) information that is defined in the Freedom of Information Act (FOIA) as “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential.” (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. “Commercial” is not confined to records that reveal “basic commercial operations” but includes any records [or information] in which the submitter has a “commercial interest” and can include information submitted by a nonprofit entity.5 U.S.C.552(b)(4)) 10
Privacy Obligations –Oversees the requirements of proper collection of PII within bureau Federal Information Security Modernization Act (FISMA) systems, including the completion of Privacy Threshold Analyses (PTAs), Privacy Impact Assessments (PIAs), and System of Records Notices (SORNs)Privacy Impact Assessments (PIAsSystem of Records Notices (SORNs) –Serve in cooperation with the Cyber Incident Response Team (N-CIRT) in ensuring compliance with OMB M and the Department of Commerce (DOC) Breach Response and Notification Plan following Privacy Incidents.OMB M Department of Commerce (DOC) Breach Response and Notification Plan 11For Official Use Only
Privacy Threshold Analysis and Privacy Impact Assessment –Privacy Threshold Analyses (PTA’s) are required prior to the issuance of any Authorization to Operate for any FISMA system within the Bureau. They provide a high level indication of whether or not PII/BII is being collected on FISMA systems, either at creation, or at the time of changes within the system –Privacy Impact Assessments (PIA’s) are required when the PTA indicates that PII/BII is being collected on FISMA systems. Following that determination, an assessment of the impact, scope, use, and nature of PII/BII being collected must be completed, as well as an analysis of the controls in place to safeguard the PII/BII. A determination is made if the PII/BII collection warrants notice to the public in the form of a published System of Records Notice (SORN), or whether the collection and use is covered by an existing SORN. 12For Official Use Only
13 What resources are available? Department of Commerce: –General FOIA training on demand –Regulations: DOJ: noaa-develops-user-friendly-web-site-foia NOAA: – – – ASAP: