Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Impact Assessment (PIA) Process

Published byRitva Jaakkola Modified over 5 years ago

Similar presentations

Presentation on theme: "Privacy Impact Assessment (PIA) Process"— Presentation transcript:

1 Privacy Impact Assessment (PIA) Process
“The NEW Gouge” For use with DD Form 2930, JUN 2017

2 PIAs Do I Need a PIA? The Process Before You Begin The Template
Section One Section Two Section Three Section Four Routing and Approval After PIA is Approved

3 Do I Need a PIA? DoDI , DOD Privacy Impact Assessment (PIA) Guidance A PIA is required on new and existing IT systems and electronic collections (i.e., applications) that collect, maintain, use, or disseminate PII on members of the public, DoD personnel, contractors, or foreign nationals employed at U.S. military facilities internationally. When new uses of an existing IT system or application significantly change how PII is managed in the system (e.g., migrating the system to the cloud). Synchronized with the information system’s assessment and authorization cycle. An approved PIA should be in place before any collection of PII by the IT system or application begins. IT system/application pilots that utilize actual PII require an approved PIA.

4 Do I Need a PIA? A PIA is not required when: No PII is collected.
Only Internal Government Operations (i.e., business related) PII is collected (i.e., name, office , office phone, office address, badge number, position, pay grade, etc). The IT system is a National Security System. The information collected is ALL “unstructured information” (i.e., systems, shared drives, SharePoint portals, etc.). Unstructured information refers to PII elements collected that are not or cannot be specified or listed. Most systems collect “structured information” (i.e., the same PII elements are collected for each individual and can be identified). Note: PIAs are not done on networks. They are done on the system or application that rides on the network.

5 Before You Begin Ensure that DITPR DON/DADMS information is current and that all information in the PIA is consistent with what’s in DITPR DON/DADMS. This would include the following: PIA/PA Tab (e.g., collects PII; collects SSN; SSN justification memo; collects on Federal, Public, Both; SORN) FISMA Tab (e.g., assessment and authorization information) RM Tab (e.g., records and disposition information) Doc Tab (e.g., most recent SSN justification memo posted)

6 Before You Begin System of Records Notice (SORN) PIA requires:
SORN Identifier(s), or the Date the new/modified SORN was forwarded to the Defense Privacy Civil Liberties and Transparency Division (DPCLTD) , i.e., DoD Privacy Office, or If a SORN is not required, the reason should be provided. OMB Control Number (for systems that collect information directly from 10 or more members of the public) The OMB Control number assigned, or a Statement that the OMB package has been forwarded to DNS-15 (Navy) or ARDB (USMC)

7 Before You Begin Contractor FAR Clauses
PIA requires the name of the contractor(s) (i.e., the company name not individuals) and a statement that the required FAR clauses are in each contract See Assistant SECNAV Sep 28, 2018 Memo, Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks SSN Justification Memo Most current SSN Justification Memo, posted under the DOC Tab Synchronized with the information system’s assessment and authorization cycle (i.e., when PIA updated). (This is at odds with DoD’s every 2 year requirement)

8 Before You Begin Records Management
The NARA Job Number or General Records Schedule Authority must be listed if the system/application contains records. If the system/application does not contain records, state this.

9 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
1. DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME: In the text box insert the information system (from DITPR DON) or electronic collection/application (from DADMS) name followed by the acronym. Ensure what you enter matches what is in DITPR DON or DADMS Example: Naval Education and Training Future Officer and Citizenship User System (NETFOCUS)

10 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
2. DOD COMPONENT NAME Pick “Department of the Navy” from the drop down list. In the next text box insert either: For Navy: the Echelon II Command. Example: “Naval Sea Systems Command (NAVSEA)” (a subcommand can be included if desired) For Marine Corps: United States Marine Corps followed by the Major Command. Example: “United States Marine Corps – Marine Corps Installations Command (MCI)” 3. PIA APPROVAL DATE The OCIO will insert this when the final approval signature is made

11 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
a. The PII is: (Check one. Note: foreign nationals are included in general public.) If no PII is collected or if only internal government operations (i.e., business related) PII is collected, these are considered “abbreviated” PIAs and are handled internal to your command. The OCIO does not process or sign and does not require a copy. IMPORTANT: DITPR DON/DADMS must be updated to indicate that either: No PII is collected, or That PII “is” collected but “A PIA (i.e., full PIA) ‘is not’ required since the PII collected is low risk internal government operations (i.e., business) related PII .” Note: Internal government operations (i.e., business) related PII (i.e., name, office , office phone, office address, badge number, position, pay grade, etc).

12 Abbreviated PIAs Two types: No PII collected –
Complete the following fields of the PIA template: DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME DOD COMPONENT NAME Section 1. a. Check “Not Collected” Obtain command signatures. Ensure DITPR DON or DADMS reflects that no PII is collected. Maintain PIA locally (i.e., OCIO does not sign or require a copy)

13 Abbreviated PIAs Internal government operations (i.e., business) related PII collected: Complete the following fields of the PIA template: DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME DOD COMPONENT NAME Section 1. a. Check appropriate box (usually “federal employees”) Section 2.a. List PII elements collected (should ALL be internal government operations PII elements. If in doubt, contact the OCIO). Obtain command signatures. Ensure DITPR DON or DADMS reflects that PII is collected, a PIA is not required, and add the following to the text box on the PIA tab. “A PIA is not required since the PII collected is considered low risk and there would be no risk of harm to the individual if compromised.” Maintain the PIA locally (i.e., OCIO does not sign or require a copy).

14 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
b. The PII is in a: (Check one) IT systems are registered in DITPR DON = “DoD Information System” A system is defined as any solution that requires a combination of two or more interacting, interdependent, and/or interoperable hardware, software, and/or firmware to satisfy a requirement or capability. Systems are registered in DITPR-DON and have a supporting budget displayed in PBIS-IT. Applications are registered in DADMS = “Electronic Collection” An application is defined as any software application that uses an existing operating system software program to provide the user with a specific capability or function that is independent of other "applications." If it is dependent on other applications it becomes a system. Applications are registered in DADMS.

15 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
c. Describe the purpose of this DoD information system or electronic collection and describe the types of personal information about individuals collected in the system. Purpose should be clear and consistent with the DITPR DON/DADMS and the SORN. In many cases the description or purpose in DITPR DON/DADMS can be copied into the PIA. “Describe” the PII collected and ensure its consistent with Section 2. a. of the PIA. d. Why is the PII collected and/or what is the intended use of the PII? (e.g., verification, identification, authentication, data matching, mission- related use, administrative use) List one or more of the choices given.

16 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
e. Do individuals have the opportunity to object to the collection of their PII? If Yes, along with the method, list consequence(s) if the individual’s PII is not provided. If No, the usual reason is that “PII is not collected directly from the individual.” f. Do individuals have the opportunity to consent to the specific uses of their PII? Answer is usually No, since “Once PII is provided by the individual, consent is assumed” or again, “PII is not collected directly from the individual”.

17 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
g. When an individual is asked to provide PII, a Privacy Act Statement (PAS) and/or a Privacy Advisory must be provided. (Check as appropriate and provide the actual wording.) Required when collecting information directly from an individual. If “Not Applicable” is checked, indicate why in the text box, e.g., “PII is not collected directly from the individual”.

18 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
h. With whom will the PII be shared through data exchange, both within your DoD component and outside your Component? (Check all that apply) Within the DoD Component (i.e., Department of the Navy) Other DoD Components (i.e., outside DON, but within DoD) Contractor: Include the name of the contractor(s) (i.e., the company name not individuals) and a statement as to whether the required FAR privacy clauses are included in the contract(s). i. Source of the PII collected is: (Check all that apply and list all information systems if applicable) Self-explanatory Ensure IT systems collected from are listed in text box as applicable.

19 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
j. How will the information be collected? (Check all that apply and list all Official Form Numbers if applicable) Self-explanatory Ensure “Official Form Numbers” are listed Note: Unofficial forms should not be used. Contact OPNAV DNS-15 (Navy) or ARDB (USMC) if there is any question as to whether a form is an official form. k. Does this DoD Information system or electronic collection require a Privacy Act System of Records Notice (SORN)? Provide either the SORN identifier(s) or the date SORN was submitted to DPCLTD (i.e., DoD Privacy Office) or Explain why a SORN isn’t required. Note: The SORN submission date may be obtained from DNS-36 (Navy) or ARSF (USMC). SORNs may NOT be submitted directly to DPCLTD by the commands.

20 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
l. What is the National Archives and Records Administration (NARA) approved, pending or general records schedule (GRS) disposition authority for the system or for the records maintained in the system? Ensure all questions are answered or Explain that the system or application does not contain any records. Ensure that what is entered in the PIA is consistent with what is under the RM Tab in DITPR DON The local, command, or Ech II Records Manager signing the PIA should provide this information.

21 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
m. What is the authority to collect information? A Federal law or Executive Order must authorize the collection and maintenance of a system of records. For PII not collected or maintained in a system of records, the collection or maintenance of the PII must be necessary to discharge the requirements of a statue or Executive Order. For a system or application that has a SORN(s), cut and paste the authorities listed in the SORN. The heading for each SORN listed should be in the following format: SORN M , Marine Corps Manpower Management Information System Records  (April 29, 2010,  75 FR 22570) authorities: (followed by authorities cut and pasted from the SORN) If the system or application does not require a SORN, list law(s), Executive Order(s), instruction(s), etc. that authorize the collection of PII. Note: If an authority listed in the SORN has been canceled or superseded, it may be replaced with the superseding authority.

22 SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
n. Does this DoD information system or electronic collection have an active and approved Office of Management and Budget (OMB) Control Number? This number indicates OMB approval to collect data from 10 or more members of the public in a 12 month period regardless of form or format. Follow directions in the PIA for yes, no, or pending. Contact DNS-15 (Navy) or ARDB (USMC) if you have any question on how to submit a request for an OMB Control Number. This process can easily take 6 months or longer.

23 SECTION 2: PII RISK REVIEW
a. What PII will be collected (a data element alone or in combination that can uniquely identify an individual)? (Check all that apply) In addition, for any other PII element not listed and for each broad category list the PII elements collected in the text box. (e.g., Employment Information: employment history, credentials earned, salary level.) If the SSN is collected, complete the following questions. Ensure the SSN Justification Memo is posted under the DOC Tab in DITPR DON/DADMS for the system/application. The list of 12 acceptable uses can be found on the DON CIO web site.

24 SECTION 2: PII RISK REVIEW
b. What is the PII confidentiality impact level? Information security signatory determine and provide. c. How will the PII be secured? Include where the system or application servers are located. d. What additional measures/safeguards have been put in place to address privacy risks for this information system or electronic collection?

25 SECTION 3: RELATED COMPLIANCE INFORMATION
a. Is this DoD Information System registered in the DoD IT Portfolio Repository (DITPR) or the DoD Secret Internet Protocol Router Network (SIPRNET) Information Technology (IT) Registry or Risk Management Framework (RMF) tool? List DITPR ID in first text box. Put RMF tool ID in third text box. Put DITPR DON ID or DADMS ID in large text box.

26 SECTION 3: RELATED COMPLIANCE INFORMATION
b. DoD information systems require assessment and authorization under the DoD Instruction , “Risk Management Framework for DoD Information Technology”. Ensure information provided for this question is consistent with information in the DITPR DON. c. Does this DoD information system have an IT Unique Investment identifier (UII), required by Office of Management and Budget (OMB) Circular A-11? Provide the UII from DITPR DON as applicable in the following format:

27 SECTION 4: REVIEW AND APPROVAL SIGNATURES
Command required signatures: Secretariat and Navy: Block a: Program Manager or Systems Manager Block b or c: Local or Echelon II privacy official Block e: Local or Echelon II Records Manager Block f: Information Security Officer or equivalent USMC Block a: Program Manager or Systems Manager Block b or c: Local or major command privacy official Block e: HQMC ARDB Block f: HQMC C4 CY Final review and approval signatures: Block d (Navy): OPNAV DNS-36 Block d (USMC): HQMC ARSF Blocks g and h: OCIO

28 Routing and Approval Program Manager completes template and forwards to the appropriate Echelon II for Navy and HQMC C4 CY for initial review. Command signatures are obtained. For Navy PIAs: PIA is forwarded to OCIO for review. OCIO forwards the PIA to OPNAV DNS-36 for review and signature. OPNAV DNS-36 returns PIA to OCIO for final approval signature. For Marine Corps PIAs: HQMC C4 CY reviews, signs and forwards the PIA to HQMC ARSF for review, coordination, and signatures. HQMC ARSF forwards the PIA to OCIO for the final approval signature. OCIO approves and signs the PIA.

29 After PIA is Approved OCIO posts the PIA summary (i.e., section 1 only) to the DON CIO web site. OCIO forwards the approved PIA to stakeholders (the Echelon II privacy official for Navy; HQMC C4 CY and HQMC ARSF for the Marine Corps). OCIO forwards the approved PIA to DoD. OCIO updates the DITPR DON. Note: Whether at rest or in transit, PIAs should be encrypted. In addition, hard copy PIAs should be accessible only to those with a need to know.

Download ppt "Privacy Impact Assessment (PIA) Process"

Similar presentations

June 27, 2005 Preparing your Implementation Plan.

June 27, 2005 Preparing your Implementation Plan.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
U.S. Army Records Management & Declassification Agency Privacy Act/System of Records Policies.

U.S. Army Records Management & Declassification Agency Privacy Act/System of Records Policies.
Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:

Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Examine Quality Assurance/Quality Control Documentation

Examine Quality Assurance/Quality Control Documentation
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.
Sole Source Training.

Sole Source Training.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
Electronic Banking Risk Assessment - Product Training

Electronic Banking Risk Assessment - Product Training
OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil August 12, 2014 UNCLASSIFIED NISPOM Update.

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil August 12, 2014 UNCLASSIFIED NISPOM Update.
Enhanced Travel Forms Package April 2015 Julie Hughes, Travel & Complex Payment Supervisor.

Enhanced Travel Forms Package April 2015 Julie Hughes, Travel & Complex Payment Supervisor.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.

1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Understanding the Privacy Impact Assessment (PIA) Introduction The PIA is a checklist or tool to ensure that new or modified electronic collections of.

Understanding the Privacy Impact Assessment (PIA) Introduction The PIA is a checklist or tool to ensure that new or modified electronic collections of.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.

Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.

Similar presentations

Ads by Google