Documents Associated with a PIA - 18F/DOI-Digital-Services-PIA-UX GitHub Wiki

#Section 3.0 - Documents Associated with a PIA

#3.1 System of Records Notice The Privacy Act of 1974 requires Federal agencies to publish a SORN in the Federal Register for systems of records denoting the categories of records on individuals that they collect, use, maintain or disseminate the safeguards to protect the information, the location of the system, the system manager, and how individuals can obtain notice and access to records about themselves.

Some systems may maintain PII on individuals but are not subject to the provisions of the Privacy Act. The requirements of the Privacy Act are triggered by the retrieval of information by use of a name or other identifier assigned to an individual. Any system that maintains information about individuals that is subject to the Privacy Act must have a published SORN, and must collect, use, maintain and disseminate information in accordance with that SORN. When conducting a PIA on a new or updated system, the associated SORN must be reviewed to ensure the system handles information in accordance with the SORN, or to determine whether the SORN should be revised to reflect the changes to the system.

#3.2 OMB Budget Submissions – Exhibit 300s Although PIAs will be completed for all information systems, the OMB only requires that Exhibit 300 budget submissions include PIAs for projects that collect and manage information on individual members of the public that is identifiable to the individual.

For projects that collect and manage information on individual members of the public, OMB requires that a PIA be submitted with Exhibit 300s for budget requests (see OMB Circular A-11, “Preparing, Submitting, and Executing the Budget”, at http://www.whitehouse.gov/omb/circulars_a11_current_year_a11_toc).

#3.3 Paperwork Reduction Act Submissions If you are collecting information from members of the public, contact your Bureau/Office Information Collection Clearance Officer to ensure that you have OMB approval to do so, or to determine whether you need to obtain an OMB approval to collect the information. The Paperwork Reduction Act of 1995 establishes requirements for collecting the same information from ten (10) or more persons – this does not include Federal employees acting in their official capacity. The E-Government Act also requires agencies to conduct a PIA on any new collection of information from ten (10) or more members of the public using information technology. This requirement does not include collections of information from agencies, organizations, or employees of the Federal government. See OMB M-03-22 for more information on the E- Government Act and Paperwork Reduction Act interface.

#3.4 DOI IT Security Assessment and Authorization Process The DOI IT Security A&A process is an integral part of DOI’s information security program. It is an important activity that supports the risk management process for a detailed security review of information systems and a comprehensive assessment of the management, operational and technical security and privacy controls. The A&A process requires a completed PIA to ensure effective controls are in place to protect privacy and that systems are compliant with requirements of the E-Government Act, the Privacy Act, OMB mandates, NIST standards, and DOI privacy and security policies. The PIA will demonstrate compliance with privacy requirements and the implementation of appropriate privacy controls for DOI information systems.