Roles and Responsibilities - 18F/DOI-Digital-Services-PIA-UX GitHub Wiki

#Section 4.0 - Roles and Responsibilities Since the requirements of a PIA must be addressed during the early stages of system development, ideally the Information System Owner and system developer will complete the assessment. Information System Owners must address what data is to be used, how the data is to be used, and who will use the data. System developers and managers must be aware of privacy requirements when systems are conceptualized and designed. The system developers must address whether the implementation of requirements presents any threats to privacy. Information System Owners and system developers will need to coordinate certain responses with the Bureau/Office Privacy Officer, Information Collection Clearance Officer, Information System Security Officer or Chief Information Security Officer, Records Officer, and possibly the Chief Information Officer.

#4.1 Information System Owner The Information System Owner is the official responsible for the overall procurement, development, integration, modification, or operation and maintenance of information systems. The Information System Owner is responsible for completing the PIA and implementing the legal information resources management requirements such as Privacy, Security, Records Management, Freedom of Information Act, and data administration. To ensure complete and accurate PIAs are conducted, Information System Owners must work closely with Bureau/Office Privacy Officers, Information System Security Officers or Chief Information Security Officers, Information Collection Clearance Officers and Records Officers. The Information System Owner must work with these officials to resolve any identified privacy or security risks. The Information System Owner must also ensure that all appropriate reviews and surnames are obtained. Information System Owner responsibilities include, but are not limited to:

  • Collaborating with the Bureau/Office Privacy Officer to ensure privacy risks are properly assessed and identifying applicable Privacy Act SORNs for systems subject to the provisions of the Privacy Act.
  • Collaborating with the Privacy Act System Manager to ensure Privacy Act records are maintained in accordance with the provisions of the Privacy Act and the published SORN.
  • Collaborating with the Information System Security Officer and Bureau/Office Chief Information Security Officer to ensure appropriate security and privacy controls are implemented to restrict access, properly manage and safeguard PII maintained within the system, document privacy controls in PIAs for SAOP approval, and provide a completed PIA for the DOI IT Security A&A process.
  • Identifying records disposition schedules with their Bureau/Office Records Officer.
  • Consulting with the Bureau/Office Information Collection Clearance Officer for information collection approvals by OMB if necessary (usually a 180 day process).
  • Reporting any suspected or confirmed compromise of privacy data to DOI-CIRC within one hour of discovery in accordance with OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments”, OMB M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information”, and the DOI Privacy Loss Mitigation Strategy.

#4.2 Privacy Act System Manager The Privacy Act System Manager is the official with administrative responsibility for managing and protecting Privacy Act records, whether in electronic or paper format, and for meeting the requirements of the Privacy Act and the published SORN. The Privacy Act System Manager is usually identified in the published SORN; however, this responsibility may be further delegated to personnel within an agency, program or office. For Privacy Act System Manager responsibilities, refer to the Departmental Manual Privacy Act Sections, 383 DM Chapters 1-13, and DOI Privacy Act regulations at 43 CFR Part 2. Privacy Act System Manager responsibilities include, but are not limited to:

  • Safeguarding the records they are responsible for, and ensuring that all records and data in the system are complete, accurate, timely, and relevant to accomplish a purpose of the agency as authorized by statute or Executive Order of the President.
  • Collaborating with the Bureau/Office Privacy Officer to prepare documentation required by the Privacy Act, including notices of new, altered or terminated system of records for publication in the Federal Register, and reviewing each system of records notice annually to ensure it accurately describes the system of records.
  • Receiving, evaluating, and granting or denying, as appropriate, requests by individuals for notification of, access to, and disclosure of records in the system.
  • Receiving, evaluating and granting or denying, as appropriate, individuals’ petitions to amend records in the system.
  • Maintaining an accounting for disclosures from a Privacy Act system outside DOI and ensuring all recipients of records are informed when those records have been amended.
  • Monitoring a contractor's compliance with Privacy Act requirements for systems of records maintained by the contractor on behalf of DOI.
  • Formulating and maintaining records retention and disposal schedules, in consultation with the Bureau/Office Records Officer.
  • Working with the Information System Owner and the Information System Security Officer to complete a PIA for any information system that collects or maintains Privacy Act information, and to ensure appropriate management, operational, physical, administrative, and technical safeguards are in place to prevent unauthorized disclosure or alteration of information in the system.

#4.3 Information System Security Officer An Information System Security Officer (ISSO) is appointed by an Information System Owner to ensure implementation of system-level security controls and to maintain system documentation. The ISSO is responsible for collaborating with the Information System Owner to develop, implement, and manage corrective action plans for all systems they own and operate, and to develop a Plan of Actions and Milestones (POA&M) when necessary. The duties of the ISSO are very important and must be considered when an assignment is made by the Information System Owner as both Federal Information Security Management Act of 2002 (FISMA) and OMB policy require that Federal information systems employ effective security controls necessary for the protection of information. The ISSO has certain responsibilities for ensuring that operational security is maintained and that Federal and agency information security requirements are met. The ISSO works closely with the Information System Owner to manage the technical requirements of the system’s security operations. The ISSO must review the PIA to ensure privacy risks were properly assessed and appropriate security controls were implemented to mitigate risks and protect privacy data.

The ISSO also serves as a principal advisor on all matters, technical and otherwise, involving the security of an information system, and must have the detailed knowledge and expertise required to manage the daily security aspects of an information system. ISSO responsibilities include, but are not limited to:

  • Physical and environmental protection
  • Managing and enforcing access restrictions and personnel security
  • Reporting and handling privacy and security incidents
  • Assisting in the development of privacy and security procedures
  • Ensuring compliance with privacy and security procedures
  • Monitoring the system and its environment of operation
  • Developing and updating the System Security Plan (SSP)
  • Managing and controlling changes to the system
  • Assessing the security impact of those changes.

#4.4 Chief Information Security Officer The Chief Information Security Officer (CISO) is responsible for coordinating, developing, and implementing an information security program, and manages the security state of organizational information systems through security authorization processes. CISOs ensure that IT systems develop and maintain a complete A&A, and develop POA&Ms to document remedial actions and adequately respond to operational risks. The Bureau/Office CISO (BCISO) works closely with the appropriate privacy and security staff in the program offices to review, evaluate and recommend information security and privacy measures and safeguards to protect information from the loss, theft, misuse, unauthorized access, destruction, and unauthorized modification or disclosure whether accidental or intentional.

#4.5 Records Officer The Bureau/Office Records Officer is responsible for collaborating with the Information System Owner and Privacy Act System Manager to identify or develop records retention schedules with approval by the National Archives and Records Administration (NARA) for Federal records maintained within the system. The Bureau/Office Records Officer provides guidance to the Information System Owner on the management of records, the appropriate records retention and destruction schedules, and approved disposition methods.

It is important to collaborate on records requirements at an early stage of development as any system that contains Federal records that does not have a NARA approved records retention schedule must maintain those records permanently pending approval of the proposed records schedule by NARA.

Note that the Information System Owner needs to secure the information and assure its accuracy and integrity, so any proposed records schedule should align with the stated purpose and mission of the system. To protect individual privacy when developing records schedules, Bureau/Office Records Officers and Information System Owners should consider that PII only be retained for the minimum amount of time necessary to meet the requirements of the Federal Records Act.

#4.6 Information Collection Clearance Officer The Information Collection Clearance Officer (ICCO) is responsible for ensuring that all Bureau/Office information collection activities adhere to the requirements of the Paperwork Reduction Act of 1995 (PRA), OMB directives, and other applicable legislation. The ICCO provides technical assistance, guidance, advice, and training to Information System Owners, Privacy Act System Managers, and other Bureau/Office personnel to ensure compliance with OMB directives and the PRA.

The ICCO is responsible for establishing procedures for the systematic review of existing and proposed information collection requirements. The E-Government Act requires agencies to conduct a PIA on any new collection of information from ten (10) or more members of the public using information technology. The ICCO collaborates with Information System Owners, Privacy Act System Managers, and Bureau/Office Privacy Officers to review PIA requirements for new information collections and obtain OMB approval to collect the information.

#4.7 Privacy Officer The Privacy Officer is responsible for managing and overseeing privacy activities to ensure compliance with Federal privacy laws and policies. The Privacy Officer implements privacy policy, provides guidance, evaluates Bureau/Office programs, systems and initiatives for potential privacy implications, and provides strategies to mitigate or reduce privacy risk. The Privacy Officer collaborates with Bureau/Office personnel, Information System Owners, and program managers to ensure privacy considerations are addressed when planning, developing or updating programs, systems or initiatives in order to protect individual privacy and ensure compliance with applicable privacy laws and regulations. The Privacy Officer is responsible for supporting the Information System Owner in the development of the PIA to ensure it is accurate and complete, and adequately identifies and addresses privacy risks. The Privacy Officer reviews the PIA to ensure the appropriate privacy and security safeguards are implemented, records retention requirements are addressed, and published Privacy Act SORNs are identified for systems that contain Privacy Act records. The Privacy Officer maintains an inventory of approved PIAs, ensures PIAs are posted in CSAM and on the DOI Privacy Impact Assessment website as required, and assists in the completion of quarterly and annual FISMA reports for PIAs. Privacy Officer responsibilities include, but are not limited to:

  • Administering the Privacy Program within Bureaus/Offices and implementing DOI privacy policies, procedures, standards, and guidelines.
  • Identifying Privacy Act systems of records and working closely with Privacy Act System Managers, Information System Owners, and other officials to ensure compliance with the provisions of the Privacy Act, the E-Government Act, OMB mandates and DOI privacy policy.
  • Reviewing proposed PIAs to confirm that privacy implications have been identified and evaluated to protect individual privacy while meeting information requirements necessary to meet DOI’s mission, in accordance with the E-Government Act, OMB mandates and DOI policy.
  • Reviewing and assessing privacy controls to ensure adequate safeguards are employed to protect PII, and to demonstrate compliance with Federal privacy requirements.
  • Developing and coordinating documentation required by the Privacy Act, including notices of new, altered or terminated system of records for publication in the Federal Register, and reviewing system of records notices annually to determine necessary revisions.
  • Overseeing Privacy Act System Managers' activities to ensure all privacy-related, statutory, regulatory, and DOI requirements are met.
  • Providing privacy training and promoting awareness of employees’ responsibility to protect personally identifiable information (PII).

#4.8 Reviewing Official The Reviewing Official is responsible for reviewing and approving PIAs to ensure that the requirements of the E-Government Act, OMB M-03-22, and DOI policy have been met. For Department-wide PIAs, this is the DOI Chief Information Officer (CIO)/SAOP. For Bureau/Office level PIAs, this is the Bureau/Office Assistant Director for Information Resources (ADIR). The Reviewing Official ensures PIAs adequately assess the privacy and security risks associated with the use of information systems and that remedial action is taken against any privacy deficiencies identified. A Reviewing Official cannot be an official who is responsible for the development, procurement, or management of the system.