Cheat Sheet - 18F/DOI-Digital-Services-PIA-UX GitHub Wiki

#Intro When we create or use IT systems that collect or maintain information, the government must take efforts to protect it. We have a moral, ethical, and legal responsibility to evaluate risks, ensure protection of the information, and consider the privacy implications throughout the development of the system. This Privacy Impact Assessment, or PIA, helps DOI’s Privacy Office assist you in working through these issues.

First, you should know that this form requires some technical information about your program and IT system. For example, you may need to reach out to some of your team members for this information:

IT leads: Details about system security requirements, who will have access to certain types of information.

Records Management Specialist: Schedule for retaining the information you collect

Next, please use the User Guide while working through this form. It will help clarify terms and provide background on why and how these questions will be used. You can also email DOI’s Privacy Office for more help.

#USER GUIDE

Part I.

You may be wondering what constitutes “information.” Information is identifiable when ****.

On the other hand, information may not be identifiable to an individual, such as statistical, geographic, or financial data like ***. A good rule of thumb is ****.

We take different precautions based on the type of information you collect. If your system could compromise an individual person’s privacy, we need to understand how you will collect, use, and maintain it. We’ll walk through those details in Sections 1-6.

Section 1.

“System Name” is the term for ***. Your “organization” should include bureau, office, and program name.

Section 2.

2.1 You can find out if a PIA already exists by checking this list or asking your Privacy Officer. You may also need this PIA because your office is merging two existing systems. 2.2 You will want to describe the purpose of this system in detail. Why you are collecting and maintaining this information? How does it relate to your office and the Department’s mission? 2.3 Some common citations are below. Please check with your contact in the Solicitor’s Office to see what authorities apply. You will need to cite the same information in the authority section of the System of Records Notice, or SORN. 2.4 a. CSAM is ***. To get more information on CSAM and its requirements, you will want to check with your ****. b. Similarly, you can get more details about SORNs by asking ***. The identifier here would include ***. c. OMB Control Numbers are used to ***. Your Solicitor’s Office or Privacy Office contact will help determine if this is necessary. 2.5. As part of this process, you’ll need to upload this PIA, the SORN(s), and potentially other documents into the CSAM for each system application. You will do this at *** time in the process. The UII Code and System Security Plan (SSP) name will also need to be included here. Missing 2.6? 2.7 Need some work here on describing