Introduction - 18F/DOI-Digital-Services-PIA-UX GitHub Wiki

#Why are Privacy Impact Assessments (PIA) required?

A completed PIA demonstrates that the agency has evaluated privacy risks and incorporated protections commensurate with those risks to ensure sufficient safeguards are in place for the protection of personal information as agencies implement citizen-centered electronic Government. A PIA also ensures government transparency by informing the public of the information collected about them, and any impact agency systems or information collections may have on their personal privacy. PIAs confirm that information collected is protected and used for the purpose intended, that the information remains timely, relevant, accurate and complete, and that agencies maintain it only as long as it is needed. Identifying and documenting privacy controls during the PIA process will ensure appropriate privacy protections are in place to protect PII during the information life cycle, and demonstrate compliance with Federal privacy requirements and standards.

The Departmental Privacy Office partners with Bureau/Office privacy staff to assess all new or proposed programs, systems or applications for privacy risks, and recommends methods for handling PII to protect individual privacy and mitigate risks to privacy information. PIAs are completed and maintained by the Bureau/Office Privacy Office where the information system is located. A copy of the completed PIA, and any associated system of records notice (SORN), must be entered into the Cyber Security Assessment and Management (CSAM) system for every information system registered.

#Legal

This revised Department of the Interior (DOI) PIA Guide provides detailed guidance and reflects updates on new policy and best practices for conducting privacy impact assessments to ensure DOI compliance with the E-Government Act of 2002, the Privacy Act of 1974 (5 U.S.C. 552a), Office of Management and Budget (OMB) mandates, NIST SP 800-53 Revision 4, and other applicable privacy laws, regulations, and standards.

Federal government agencies are required under Section 208 of the E-Government Act of 2002 (Public Law 107-347, 44 U.S.C. Chapter 36) to conduct a Privacy Impact Assessment (PIA) before developing or procuring information technology (IT), or initiating new information collections that use IT, that collects, maintains or disseminates personally identifiable information (PII). The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, requires Federal agencies to implement privacy controls for information systems to protect the PII of individuals collected and maintained by organizations in accordance with Federal privacy laws, regulations, policies and guidelines. Organizations may tailor the privacy controls to meet their defined and specific needs at their organization level, and implementation of privacy controls may vary based on legal authorities and distinct mission/business or operational needs.

(If approved) - This Guide supersedes any previously issued guidance and must be followed for all new and updated PIAs conducted at DOI.