Policy for Privacy Impact Assessments (PIA)

June 4, 2019

Project: HHS OCIO PIA Policy
Document Number: HHS-OCIO-PIM-2019-05-003

Table of Contents

  1. Nature of Changes
  2. Purpose
  3. Background
  4. Scope
  5. Applicable Laws, Policies, and Guidance
  6. Policy
  7. Roles and Responsibilities
  8. Information and Assistance
  9. Effective Date and Implementation
  10. Approval

Concurrence

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms

1. Nature of Changes

This U.S. Department of Health and Human Services (HHS) Policy for Privacy Impact Assessments (PIA) updates and supersedes the previous version (HHS-OCIO-2009-0002.001, dated February 9, 2009). The Policy was updated to align with current HHS Privacy Threshold Analysis (PTA), PIA, and Internal PIA processes.1

2. Purpose

The E-Government Act of 2002 and Office of Management and Budget (OMB) Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, require agencies to perform PIAs before developing, procuring, or using information technology (IT) systems or projects that collect, disseminate, maintain, or dispose of personally identifiable information (PII) or initiating, consistent with the Paperwork Reduction Act (PRA), a new electronic collection of PII from ten or more individuals. The purpose of this Policy is to set forth the minimum HHS PTA, PIA, and Internal PIA requirements, as well accompanying review and publication processes.

This Policy is supplemented by additional guidance that describes in greater detail the actions and activities that shall be taken to conduct and review PTAs, PIAs, and Internal PIAs at HHS.2

3. Background

The public entrusts HHS with a wide array of personal information ranging from basic identifiers, such as name and Social Security number, to more complex data, such as an individual’s genomic sequence or medical history. This public trust carries with it a corresponding responsibility that HHS protect and safeguard the information while it is being stored, transmitted, and shared by HHS.

To ensure that the public’s personal information is protected in a manner commensurate with the privacy risks, HHS uses a privacy analysis process to assess the risks associated with HHS’s collection and maintenance of PII and to ensure information is handled in accordance with applicable legal, regulatory, and policy requirements. This process is documented in PTAs, PIAs, and Internal PIAs.

PTAs analyze how information is handled in IT systems and electronic information collections. If the analysis determines that the IT system or electronic information collection collects, disseminates, maintains, or disposes of PII, a PIA or Internal PIA shall also be required. PIAs are used to assess the privacy risks of IT systems and electronic information collections that collect, disseminate, maintain, or dispose of PII about members of the public. PIAs also provide transparency into how HHS collects, disseminates, maintains, or disposes of the public’s PII. Internal PIAs are used when an IT system or electronic information collection collects, disseminates, maintains, or disposes of PII only about HHS employees or direct contractors.3 Given that HHS handles a large amount of PII, it is critical that responsible organizations follow the requirements set forth in this Policy to protect PII and retain the public’s trust.

4. Scope

This Policy applies to HHS’s federal information and information systems, as defined in the Federal Information Security Modernization Act (FISMA), and electronic information collections, but does not apply to national security systems.4 This Policy does not apply to the use of third-party websites and applications (e.g., Third-Party Website and Applications PIAs).

This Policy applies to all HHS components, as well as organizations conducting business for or on behalf of HHS through contractual, grant-making, or other relationships.5 HHS Operating Divisions (OpDivs) shall adopt and implement this Policy or may create a more restrictive policy, but not one that is less restrictive or less comprehensive than this Policy. This Policy does not supersede any other applicable law or higher level Agency directive, nor does it supersede any existing labor management agreement in effect as of the effective date of this Policy.

This Policy also applies to HHS employees, contractor personnel, grant recipients, interns, and other non-government persons supporting HHS. All organizations collecting or maintaining information or using or operating information systems on behalf of the Department are also subject to the stipulations of this Policy. Compliance with this Policy shall be incorporated into applicable contract, grant, or memoranda of agreement language under separate cover, as appropriate.6

Furthermore, activities that are assigned to the HHS Senior Agency Official for Privacy (SAOP) in this Policy may be delegated or assigned to a designee.7 Responsibility for OpDiv PTA, PIA, and Internal PIA activities ultimately lies with the OpDiv Senior Official for Privacy (SOP). OpDiv activities may be delegated or assigned to an OpDiv designee by the OpDiv SOP.

5. Applicable Laws, Policies, and Guidance

This section contains a list of applicable laws and guidance that are either referenced in this Policy or may prove useful in implementing the procedures detailed in this Policy.

5.1. Federal Laws

5.2. Executive Orders, Memoranda, and Directives

5.3. Agencies or Sub-components with Specific Government-wide Guidance

6. Policy

6.1. HHS Definitions

Set forth below are the HHS definitions of PTA, PIA, and Internal PIA.

  • Privacy Threshold Analysis (PTA): an analysis of how information is handled in IT systems and electronic information collections. If the IT system or electronic information collection collects, disseminates, maintains, or disposes of PII, a PIA or Internal PIA shall be required.
  • PTAs are not published on the HHS website and are not subject to the three-year review requirement. PTAs must be updated upon a major change to the IT system or electronic information collection.8 A major change could result in a PTA meeting the threshold to be a PIA (e.g., the addition of PII).
  • Privacy Impact Assessment (PIA): an analysis of how information is handled to: 1) ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII in an electronic information system; and 3) examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns. A PIA is both an analysis and a formal document detailing the process and the outcome of the analysis.
  • PIAs are used to assess the privacy risks when IT systems and electronic information collections collect, disseminate, maintain, or dispose of PII about members of the public. PIAs are published on the HHS website. PIAs must be reviewed at least every three years and upon a major change to the IT system or electronic information collection.
  • Internal Privacy Impact Assessment (PIA): a subset of HHS PIAs that assess IT systems and electronic information collections that collect PII only about HHS employees or direct contractors.
  • Internal PIAs are used if an IT system or electronic information collection collects, disseminates, maintains, or disposes of PII only about HHS employees or direct contractors. Internal PIAs are not published on the HHS website and are not subject to the three-year review requirement. However, Internal PIAs must be updated upon a major change to the IT system or electronic information collection.

6.2. Establishing the HHS PIA Program

The HHS SAOP shall develop and maintain an HHS framework for the development and maintenance of PTAs, PIAs, and Internal PIAs for IT systems and electronic information collections. The HHS SAOP shall be supported in the activities outlined in this Policy by the HHS Office of Privacy and Information Management (PIM). OpDiv SOPs must establish OpDiv-specific procedures to facilitate the development and maintenance of PTAs, PIAs, and Internal PIAs in accordance with HHS and federal requirements.

6.3. HHS Requirements

The requirements detailed below provide the baseline HHS PIA requirements in accordance with the E-Government Act of 2002 and OMB M-03-22.

6.3.1. Development

In accordance with the HHS Information Systems Security and Privacy Policy (IS2P), Information System Owners,9 in consultation with the OpDiv SOP and IT experts,10 shall conduct a PTA, PIA, or Internal PIA before developing, procuring, or using IT systems or projects; or initiating, consistent with the Paperwork Reduction Act, a new electronic collection of PII for ten or more persons.11

6.3.2. Content

The HHS SAOP shall develop a standard form for HHS PTAs, PIAs, and Internal PIAs. In accordance with the E-Government Act of 2002 and OMB M-03-22, HHS PIAs and Internal PIAs must, at a minimum, require Information System Owners to analyze and describe:

  1. What information is collected;
  2. Why the information is being collected;
  3. How the information is intended to be used;
  4. With whom the information will be shared;
  5. What opportunities individuals have to decline to provide information;
  6. How the information will be secured;
  7. Whether a system of records is being created under the Privacy Act of 1974; and
  8. What potential privacy risks to individuals are posed by the IT system or information collection and what mitigation strategies are in place to reduce those risks.12

PTAs shall use an abbreviated version of the HHS PIA form and document the information collected by the IT system and the purpose of that collection.

6.3.3. Evaluation and Approval

OpDiv SOPs must evaluate all HHS PTAs, PIAs, and Internal PIAs for adequacy and accuracy and approve all HHS PTAs, PIAs, and Internal PIAs prior to submission to the HHS SAOP. The HHS SAOP shall evaluate all HHS PTAs, PIAs, and Internal PIAs for adequacy, consistency, and compliance with federal and HHS requirements. If the HHS SAOP determines that revisions to the PTA, PIA, or Internal PIA are necessary, the document shall be returned to the OpDiv for updates. Once the HHS SAOP determines that the PTA, PIA, or Internal PIA is adequate, he or she shall approve the PTA, PIA, or Internal PIA.

6.3.4. Review and Revision Requirements

Information system PTAs, PIAs, and Internal PIAs are also part of the Security Assessment and Authorization (SA&A) process for systems; thus, the PTA, PIA, or Internal PIA must be reviewed and revised as necessary, as part of an information system reauthorization process.13

The PTA, PIA, and Internal PIA development, review, and revision process allows OpDiv SOPs to confirm that appropriate privacy controls are in place to manage the privacy risks associated with an IT system and to make recommendations regarding the authorization of that IT system.14 To that end, Information System Owners must review, revise as necessary, and submit PIAs for re-approval no later than three years from the last approval date.

PTAs, PIAs, and Internal PIAs must also be reviewed, updated, and re-approved whenever a change to an IT system, a change in practice, or another factor alters the privacy risks associated with the use of a particular IT system or electronic information collection.15

HHS PTAs and Internal PIAs are not reviewed on the three-year cycle and are only required to be updated and reapproved upon a major change.

Please use the summary table below for PTA, PIA, and Internal PIA review cycle information.

Review Cycle Documentation
Every three years PIA
During the SA&A process, as necessary PTA, PIA, or Internal PIA
In the event of a major change PTA, PIA, or Internal PIA

6.3.5. Publication

The HHS SAOP must ensure that HHS PIAs are published and made publicly available on the HHS website.16 The HHS SAOP—in consultation with the OpDiv SOP, Information System Owner, and other stakeholders—may decide not to make an HHS PIA publicly available to the extent that publication would raise security concerns or reveal classified or sensitive information contained in the PIA.12 Such information shall be protected and handled consistent with the Freedom of Information Act (FOIA). PTAs and Internal PIAs shall not be published on the HHS website.

6.3.6. Reporting Requirements

Annual reporting requirements—including the annual SAOP FISMA report—often require information regarding PIAs and the agency’s PIA program, including information about the number of IT systems covered by an up-to-date PIA and whether the agency has written PIA policies in place. OpDiv SOPs shall maintain an up-to-date PIA inventory and support compliance with reporting requirements. Information about PIAs shall be tracked and stored in a manner that allows the information to be included in agency reporting documents, including FISMA reports.

7. Roles and Responsibilities

The following sets forth the roles and high-level responsibilities that various privacy stakeholders must undertake when conducting HHS PTAs, PIAs, and Internal PIAs.

Please note that, as set forth in Section 4 of this Policy, much of the ultimate authority and decision-making ability for HHS PIAs lies with the HHS SAOP, who is empowered to delegate components of their responsibilities to an assigned designee. Many of the responsibilities for privacy provisions will be carried out by privacy stakeholders within the OpDivs.

7.1. HHS Senior Agency Official for Privacy (or Designee)

At HHS, the Chief Information Officer (CIO) holds the title of HHS SAOP.17 The responsibilities of the HHS SAOP include, but are not limited to, the following:

  1. Develop and maintain an HHS framework for the development and maintenance of PTAs, PIAs, and Internal PIAs for all IT systems and electronic information collections.
  2. Develop a standard form for HHS PTAs, PIAs, and Internal PIAs.
  3. Review all PTAs, PIAs, and Internal PIAs for adequacy, consistency, and compliance with federal and HHS requirements.
  4. Determine if revisions to the PTA, PIA or Internal PIA are necessary and, if so, return the PTA, PIA, or Internal PIA to the OpDiv for updates.
  5. Approve all PTAs, PIAs, and Internal PIAs that are determined to be adequate.
  6. Ensure that all PIAs are published and made publicly available on the HHS website.
  7. Determine, in consultation with the OpDiv SOP, Information System Owner, and other stakeholders, if a PIA should not be published or made publicly available due to security concerns.

7.2. Operating Division Senior Official for Privacy (or Designee)

The responsibilities of the OpDiv SOP include, but are not limited to, the following:

  1. Establish OpDiv-specific procedures to facilitate the development and maintenance of PTAs, PIAs, and Internal PIAs in accordance with HHS and federal requirements.
  2. Review and approve all PTAs, PIAs, and Internal PIAs for adequacy and accuracy prior to submission to the HHS SAOP for review.
  3. Coordinate with the Information System Owners and other stakeholders to revise PTAs, PIAs, and Internal PIAs in response to HHS SAOP feedback.
  4. Resubmit PTAs, PIAs, and Internal PIAs to the HHS SAOP after completing requested revisions.
  5. Confirm that appropriate privacy controls are in place to manage the privacy risks associated with the IT system and to make recommendations regarding the authorization of the IT system.
  6. Maintain an up-to-date PIA inventory and support compliance with reporting requirements.

7.3. Information System Owner

For the purposes of this Policy, the role Information System Owner includes individuals who are responsible for electronic information collections. The responsibilities of the Information System Owner include, but are not limited to, the following:

  1. Conduct, in consultation with the OpDiv SOP and IT experts, a PTA, PIA, or Internal PIA before developing, procuring, or using IT systems or projects; or initiating, consistent with the Paperwork Reduction Act, a new electronic collection of PII for ten or more persons.
  2. Analyze and document the content contained in a PTA, PIA, or Internal PIA. (See Policy Section 6.2.2 above for additional information)
  3. Review, revise as necessary, and submit PIAs for re-approval no later than three years from the last approval date, and as part of the SA&A process as required.
  4. Review, revise as necessary, and submit PTAs, PIAs, and Internal PIAs for re-approval whenever a change to an IT system, a change in practice, or another factor alters the privacy risks associated with the use of the IT system or electronic information collection.
  5. Coordinate with the OpDiv SOP to revise PTAs, PIAs, and Internal PIAs in response to HHS SAOP feedback.

8. Information and Assistance

PIM is responsible for the development and management of this policy. Direct questions, comments, suggestions, and requests for information about this policy to [email protected].

9. Effective Date and Implementation

The effective date of this policy is the date the policy is approved. This policy must be reviewed, at a minimum, every three (3) years from the date it is approved. The CIO has the authority to grant a one (1) year extension of the policy. Archival is only granted when in writing and approved by the HHS CIO.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated August 7, 1997, as amended, titled “Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.” It is HHS’ policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

10. Approval

/S/

Jose Arrieta, Chief Information Officer (CIO)

June 04, 2019

Concurrence

/S/

Scott Rowell, Assistant Secretary for Administration (ASA)

June 07, 2019

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this policy will always reside in the OCIO Policy Library.

Operating Divisions (OpDivs) establish OpDiv-specific procedures for completing Privacy Threshold Analyses (PTA), Privacy Impact Assessments (PIA), and Internal PIAs.

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this policy will always reside in the OCIO Policy Library.

No standards are required to comply with this policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this policy will always reside in the OCIO Policy Library.

No guidance is required to comply with this policy

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this policy will always reside in the OCIO Policy Library.

Privacy Threshold Analyses (PTA), Privacy Impact Assessments (PIA), and Internal PIAs are completed using the U.S. Department of Health and Human Services (HHS) security, governance, risk, and compliance tool.

Glossary and Acronyms

Definitions:

Access: The ability to make use of any information system (IS) resource (Source: NIST SP 800-32, Section 9).

Direct Contractor: Defined in this Policy as contractors that operate on behalf of the agency and use the agency’s credentials when doing so. Direct contractors who use HHS credentials are considered employees for the purposes of filling out the PIA.

Information Collection: The obtaining, causing to be obtained, soliciting, or requiring the disclosure to an agency, third parties, or the public of information by or for an agency by means of identical questions posed to, or identical reporting, recordkeeping, or disclosure requirements imposed on, ten or more persons, whether such collection of information is mandatory, voluntary, or required to obtain or retain a benefit (Source: 5 CFR 1320.3).

Information Technology: Any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or if used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. The term “information technology” includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. The term “information technology” does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use (Source: 40 U.S.C. § 11101).

Internal Privacy Impact Assessment (PIA): Defined in this Policy as a subset of HHS PIAs that assess IT systems and electronic information collections that collect PII about HHS employees or direct contractors only.

Internal PIAs are used if an IT system or electronic information collection collects, disseminates, maintains, or disposes of PII only about HHS employees or direct contractors. Internal PIAs are not published the HHS website and are not subject to the three-year review requirement. However, Internal PIAs must be updated upon a major change to the IT system or electronic information collection.

Maintain: To maintain, collect, use, or disseminate (Source: The Privacy Act of 1974, as amended).

Major Change: Any change to an IT system or practice, or another factor alters the privacy risks associated with the use of a particular IT system. According to OMB M-03-22, PIAs should be conducted following any major changes, including, but not limited to:

  • Conversions: A conversion from paper-based methods to electronic systems (e.g. records currently in paper form will be scanned or otherwise added into a system);
  • Anonymous to Non-Anonymous: When the system’s function, as applied to an existing information collection, changes anonymous information into PII;
  • Significant System Management Changes: In the case that new uses of an existing IT system, including application of new technologies, significantly change the process of managing PII in the system;
  • Significant Merging: When agencies adopt or alter business processes so that government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated;
  • New Public Access: When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system, which can be accessed by the public;
  • Commercial Sources: When PII is obtained from commercial or public sources and is systematically integrated into the existing information systems databases;
  • New Interagency Uses: When agencies work together on shared functions involving significant new uses or exchanges of PII;
  • Internal Flow or Collection: When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional PII; and
  • Alteration in Character of Data: When new PII added to a collection raises the risk to personal privacy, such as the addition of health or privacy information.
    (Source: OMB Memorandum M-03-22)

Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (Source: OMB Circular A-130).

Privacy Impact Assessment (PIA): An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns. A PIA is both an analysis and a formal document detailing the process and the outcome of the analysis. (Source: OMB Circular A-130).

PIAs are used to assess the privacy risks when IT systems and electronic information collections collect, disseminate, maintain, or dispose of PII about members of the public. PIAs are published on the HHS website. PIAs must be reviewed at least every three years and upon a major change to the IT system or electronic information collection.

Privacy Threshold Analysis (PTA): Defined in this Policy as an analysis of how information is handled in IT systems and electronic information collections. If the IT system or electronic information collection collects, disseminates, maintains, or disposes of PII, a PIA or Internal PIA shall be required.

PTAs are not published on the HHS website and are not subject to the three-year review requirement. PTAs must be updated upon a major change to the IT system or electronic information collection. A major change could result in a PTA meeting the threshold to be a PIA (e.g., the addition of PII).

Risk: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks emerge from legal liability or mission loss due to:

  1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information;
  2. Unintentional errors and omissions;
  3. IT disruptions due to natural or man-made disasters;
  4. Failure to exercise due care and diligence in the implementation and operation of the information system.

(Source: NIST SP 800-30, Appendix E).

System: A collection of computing and/or communications components and other resources that support one or more functional objectives of an organization. IT system resources include any IT component plus associated manual procedures and physical facilities that are used in the acquisition, storage, manipulation, display, and/or movement of data or to direct or monitor operating procedures. An IT system may consist of one or more computers and their related resources of any size. The resources that comprise a system do not have to be physically connected (Source: NIST SP 800-16, Appendix C).

System of Records (SOR): A group of any records under the control of any agency where information is retrieved by the name of the individual, by some identifying number or symbol, or other identifiers assigned to the individual. The key to this definition is that the records must be "retrieved by", not "retrievable by" an individual’s name and/or personal identifier (Source: The Privacy Act of 1974, as amended).

Third-Party Websites and Applications (TPWA): Web-based technologies that are not exclusively operated or controlled by a government entity, or web-based technologies that involve significant participation of a nongovernmental entity. Often these technologies are located on a “.com” website or other location that is not part of an official government domain. However, third-party applications can also be embedded or incorporated on an agency’s official website. (Source: OMB Memorandum M-10-23).

Acronyms:

COPPA – Children’s Online Privacy Protection Act
FISMA – Federal Information Security Modernization Act
FOIA – Freedom of Information Act
HHS – United States Department of Health and Human Services
IS2P – HHS Information Security and Privacy Policy
IT – Information Technology
M – Memorandum
NIST – National Institute of Standards Technology
OCIO – Office of the Chief Information Officer
OMB – Office of Management and Budget
OpDiv – Operating Division
PIA – Privacy Impact Assessment
PII – Personally Identifiable Information
PIM – Office of Privacy and Information Management
PTA – Privacy Threshold Analysis
PRA – Paperwork Reduction Act
SAOP – Senior Agency Official for Privacy
SA&A – Security Assessment and Authorization
SOP – Senior Official for Privacy
SP – Special Publication
SSN – Social Security Number
StaffDiv – Staff Division
TPWA – Third-Party Web Site and Application
U.S. – United States
U.S.C. – United States Code

  • 1. For additional information regarding these processes, please see Section 6.1, HHS Definitions, of this Policy.
  • 2. Contact the appropriate Operating Division (OpDiv) Senior Official for Privacy (SOP) or the HHS Office of Privacy and Information Management at [email protected] for assistance.
  • 3. At the U.S. Department of Health and Human Services (HHS), direct contractors are contractors that operate on behalf of the agency and use the agency’s credentials when doing so. Direct contractors who use HHS credentials are considered employees for the purposes of filling out the Privacy Impact Assessment (PIA). HHS has implemented the Internal PIA to ensure that privacy risks to employees and direct contractors are appropriately addressed and documented. Per the Office of Management and Budget (OMB) M-03-22, agencies do not have to conduct PIAs on systems that only contain information about agencies, instrumentalities, or employees of the Federal Government (including contractors and consultants of the Federal Government). OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003), available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf... See Section 6.2, HHS Requirements for Privacy Impact Assessments, for more information.
  • 4. Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3552.
  • 5. HHS components include OpDivs and Staff Divisions (“StaffDivs”). For the purposes of this Policy, references to “OpDivs” also include StaffDivs.
  • 6. For further information, please see HHS Office of the Chief Information Officer (OCIO) HHS Security and Privacy Language for Information and Information Technology Procurements, Version 2.0 (June 26, 2017), available at:https://intranet.hhs.gov/it/cybersecurity/policies/security-privacy-language.pdf.
  • 7. OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy, (September 15, 2016), available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m_16_24_0.pdf.
  • 8. For additional information on the types of changes that would be considered a major change, see Appendix B: Glossary in this Policy, and OMB M-03-22.
  • 9. For the purposes of this Policy, Information System Owners include individuals responsible for electronic information collections.
  • 10. In order to conduct a meaningful PIA, the Information System Owner shall work closely with the program managers, IT experts, security officials, counsel, and other relevant agency officials. IT experts may include, but are not limited to, information system security officials, system assessors, system developers, system architects, and system analysts.
  • 11. OMB Memorandum M-03-22; Paperwork Reduction Act (PRA) of 1995, 44 U.S.C. 3501 et seq.
  • 12. a. b. OMB Memorandum M-03-22.
  • 13. Privacy Threshold Analyses (PTA), PIAs, and Internal PIAs for High Value Assets (HVA) may require more frequent review. OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program (December 10, 2018), available at: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf.
  • 14. Per Appendix I § 4(e)(9) of OMB Circular A-130, SAOPs must review authorization packages for information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII to ensure compliance with applicable privacy requirements and manage privacy risks, prior to authorizing officials making risk determination and acceptance decisions. OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016), available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf.
  • 15. These types of changes are commonly known as “major changes.” For additional information on the types of changes that would create new privacy risks and require an update to an HHS PIA or PTA, see OMB Memorandum M-03-22.
  • 16. OMB Memorandum M-03-22; OMB Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services (November 8, 2016), available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf.
  • 17. OMB Memorandum M-16-24.
Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed