When to conduct a PIA - 18F/DOI-Digital-Services-PIA-UX GitHub Wiki
#Section 2.0 - When to Conduct a PIA A PIA must be conducted for all DOI systems, including law enforcement or other sensitive systems, to ensure privacy implications are considered and appropriately addressed. Section 208 of the E-Government Act and OMB M-03-22, “OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002”, require agencies to conduct a PIA when:
- Developing or procuring any new technologies or systems that handle or collect PII. Conducting a PIA at the beginning of the development process allows the Privacy Office, program management, and system developers to ensure that the information is handled appropriately. The PIA should show that privacy was considered from the beginning stage of system development. The PIA also provides for a framework to conduct ongoing reviews of systems or programs.
- Reviewing Information Collection Requests (ICRs) that gather PII including forms under the Paperwork Reduction Act (PRA). If the form or ICR is not covered by an existing PIA and SORN, a new PIA will be required.
- Developing system changes that affect PII or create privacy risk. For example, if a program or system adds additional sharing of information either with another agency or incorporates commercial data from an outside data aggregator, or if an organization decides to collect new information or update its existing collections as part of a rulemaking. The PIA should discuss how the management of these new collections ensures conformity with privacy law. Other examples include converting paper–based records to electronic systems; functions that change anonymous information into PII; altered business processes that result in databases holding PII that are merged, centralized, or matched with other databases; user-authenticating technology (password, digital certificate, biometric) newly applied to an electronic information system; or new PII added to a collection that raises the risks to personal privacy.
It is important to note that even if it is not apparent that a system collects or maintains PII, there could be instances where an interface, new source, aggregation, or evolving use may raise privacy risks that must be evaluated through a PIA. Examples of technology systems that generally have privacy implications are human resources, payroll, and law enforcement systems, or systems that perform data mining, data aggregation or geospatial tracking.
Note that PIAs must address and document privacy controls implemented for information systems, and the privacy controls must be approved by the Senior Agency Official for Privacy (SAOP) as a precondition to granting an Authority to Operate (ATO).
#2.1 Systems That Do Not Contain PII Some information systems do not contain information that is identifiable to individuals and will not require a full PIA. To ensure that a thorough review is made of all IT systems for PII on individuals, the Information System Owner should complete the first section of the PIA form and submit it to the Bureau/Office Privacy Officer for review to determine further privacy compliance documentation. This properly documents that an Information System Owner assessed whether the system contains PII and requires a full PIA. This preliminary assessment is also incorporated into the DOI IT Security Assessment and Authorization (A&A) process, which is the process by which the Department assures its information technology systems meet appropriate security and operating standards. This verifies that a review for any information on individuals was already completed for the system.