Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

HHS OCIO 2009-0002.001 Policy for Privacy Impact Assessment (PIA)

HHS OCIO Policy for Privacy Impact Assessment (PIA)

February 9, 2009

HHS-OCIO-2009-0002.001

 

1.     Purpose. 1

2.     Background. 1

3.     Scope. 1

4.     Policy. 2

4.1       PIA Process. 2

4.2       Annual Review and Major Changes. 2

5.     Roles and Responsibilities. 3

5.1       Department Level Roles and Responsibilities. 3

5.2       OPDIV Level Roles and Responsibilities. 5

6.     Applicable Laws and Guidance. 8

6.1       Federal Statutes. 8

6.2       OMB Guidance. 10

7.     Information and Assistance. 13

8.     Effective Date/Implementation. 14

9.     Approved. 14

Glossary. 14

 

 

1 Purpose

This Policy provides a standard approach for conducting Privacy Impact Assessments (PIAs) for all Department of Health and Human Services (HHS) information technology (IT) systems, including those in the Development or Test phase of the system development life cycle (SDLC) and those owned or operated on behalf of the Department.  This Policy also provides detailed instructions that aid in properly populating the PIA, and a summary of the federal requirements and guidance that protect personally identifiable information (PII).  Properly completing a PIA for every IT system will help ensure privacy protections are incorporated into every stage of an IT system’s life cycle.

This Policy is first issuance.

 

2 Background

The Department recognizes the public’s growing demand that government entities protect PII whether it is collected by, maintained in, or disseminated through a Department-owned IT system or an IT system operated on behalf of the Department.  PIAs are used by the Department to ensure sensitive information such as PII is protected in a manner that ensures the confidentiality of the data.  The Office of the Chief Information Officer (OCIO) issues the HHS-OCIO Policy for PIA, providing requirements for complying with Titles II and III of the E-Government Act of 2002 and with the Federal Information Security Management Act of 2002 (FISMA) reporting-requirements set forth annually by the Office of Management and Budget (OMB).  Since the Department handles a large amount of PII protected by these federal laws, it is critical that responsible organizations follow the requirements set forth in this Policy to secure PII and retain the public’s trust.

 

3 Scope

This Policy applies to all Department Operating Divisions (OPDIVs) and Staff Divisions (STAFFDIVs), including the Office of the Secretary and Office of the Inspector General, and to all organizations operating IT systems on behalf of the Department (i.e., grantees and contractors). (1) Agency officials shall apply this Policy to all Federal employees, contractor personnel, interns, and other non-government employees.  All organizations collecting or maintaining information or using or operating information systems on behalf of the Department are also subject to the stipulations of this Policy.

OPDIVs and STAFFDIVs shall use this Policy or may create a more restrictive OPDIV/STAFFDIV policy tailored to their specific environment; however, that policy may not be less restrictive, less comprehensive, or less compliant than this Department Policy.

The content of and compliance with this Policy shall be incorporated into applicable contract language or memoranda of agreement under separate cover (e.g., Interim HHSAR FISMA policy), as appropriate.

This Policy does not supersede any other applicable law, higher level agency directive, or existing labor management agreement.

 

4 Policy

4.1           PIA Process

The HHS-OCIO Policy for PIA codifies the Department’s authority to require that all individuals responsible for operating IT systems execute a PIA in the manner prescribed by the PIA Standard Operating Procedure, which is promulgated and maintained by the Senior Agency Official for Privacy (SAOP).  OPDIVs and STAFFDIVs shall ensure that all Department IT systems and those IT systems owned or operated on behalf of the Department have a current PIA and follow the process for completing the PIA, as outlined in the PIA Standard Operating Procedure and in compliance with the E-Government Act requirements.  Each PIA shall include details on the data collected by, maintained in, or disseminated through the IT system, as well as the safeguards in place to protect that data, as required by federal privacy laws and regulations. 

Each PIA shall be promoted by the OPDIV Senior Official for Privacy (SOP) using the FISMA compliance tool, and then reviewed by the Department’s SAOP for (1) completeness, (2) submission to OMB, and (3) approval for web publishing.  In accordance with the E-Government Act of 2002, the Rehabilitation Act of 1973, and OMB Memorandum (M) 03-22 (OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002), the HHS Information Security and Privacy Program shall make all PIA summaries publicly available at www.hhs.gov/pia.

4.2           Annual Review and Major Changes

A PIA is a living document, and as such, shall be updated regularly.  Each PIA shall be reviewed and re-approved annually via the FISMA compliance tool.  In doing so, the OPDIV SOP validates that the PIA is current and that any major changes that may have occurred to the data within the system, or to the safeguards in place protecting the system have been accurately captured.  Any major change to the data that result in privacy risks shall be accurately reflected in the PIA.  These changes include, but are not limited to, the following scenarios, as set forth in OMB M-03-22:

  • Conversions: A conversion from paper-based methods to electronic systems;
  • Anonymous to Non-Anonymous: The system’s function, as applied to an existing information collection, changes anonymous information into PII;
  • Significant System Management Changes: In the case that new uses of an existing IT system, including application of new technologies, significantly change the process of managing PII in the system;
  • Significant Merging: When agencies adopt or alter business processes so that government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated;
  • New Public Access: When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system, which can be accessed by the public;
  • Commercial Sources: PII, obtained from commercial or public sources, is systematically integrated into the existing information system’s database;
  • New Interagency Uses: When agencies work together on shared functions involving significant new uses or exchanges of PII;
  • Internal Flow or Collection: When alteration of a business process results in significant new uses or disclosures of information, or incorporation into the system of additional PII; and
  • Alteration in Character of Data: When new PII added to a collection raises the risks to personal privacy, such as the addition of health or privacy information.

Changes made to the security controls in a system shall also be reflected in the PIA.  These changes include, but are not limited to, the following, as described in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 (as amended), Recommended Security Controls for Federal Information Systems:

  • Testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually;
  • Reviewing information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts;
  • Assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; and
  • Reviewing the security plan for the information system and revise the plan to address system/organizational changes.

If any of these or other scenarios occur, each affected section within the PIA shall be updated to reflect the current state of the information system.  Annual reviews of the PIA shall ensure that these triggers, or any other PII-impacting changes in the management, operational, or technical environment of an IT system, shall be captured as required by federal legislation and Department policy

 

5 Roles and Responsibilities

5.1 Department Roles and Responsibilities

5.1.1    HHS Senior Agency Official for Privacy (SAOP)

At HHS the Chief Information Officer (CIO) holds the title of SAOP and is responsible for:

  • Designating responsibility for oversight of the PIA process to the OPDIV SOP;
  • Reviewing and acknowledging the completion and accuracy of PIAs by designating PIAs as approved for web publishing via the Department’s PIA reporting tool;
  • Allocating proper resources to permit identification and remediation of privacy weaknesses;
  • Approving submission of the Privacy Management portion of the Department’s annual FISMA report;
  • Coordinating privacy-related reporting activities as mandated by federal legislation and OMB guidance;
  • Ensuring the proper implementation of information privacy protections, including full compliance with federal laws, regulations, and policies relating to information privacy, such as the Privacy Actof 1974;
  • Maintaining appropriate documentation to ensure compliance with information privacy laws, regulations, and HHS policies;
  • Overseeing, coordinating, and facilitating the Department’s privacy compliance efforts, including reviewing documented information privacy procedures to ensure that they are comprehensive and up-to-date, and coordinating revision, as necessary;
  • Ensuring that the Department’s employees, contractors, and stakeholders are provided with appropriate training;
  • Providing training regarding the information privacy laws, regulations, policies, and procedures governing the Department’s handling of PII; and
  • Maintaining a central policy-making role in the Department’s development and evaluation of legislative, regulatory, and other policy proposals pertaining to information privacy issues, including those relating to the agency’s collection, use, sharing, and disclosure of PII.

5.1.2    HHS Privacy Act Officer within the Office of the Assistant Secretary for Public Affairs (ASPA)

The HHS Privacy Act Officer is responsible for:

  • Reviewing HHS Privacy Act System of Records Notices (SORN) prior to publication;
  • Responding to and reviewing questions relating to the Privacy Act via the Agency Privacy Management Report section of FISMA; and
  • Implementing requirements of the Privacy Act and corresponding operating procedures.

5.1.3    HHS Information Security and Privacy Program headed by the Chief Information Security Officer (CISO) within the Office of the Assistant Secretary for Resources and Technology (ASRT)

The HHS Information Security and Privacy Program is responsible for:

  • Ensuring OPDIV SOP involvement in the PIA process;
  • Reviewing completed PIAs, and attesting that they are adequately and accurately completed prior to SAOP approval for web publishing;
  • Submitting the Privacy Management portion of the Department’s annual FISMA report to the SAOP for approval;
  • Overseeing the coordination of privacy-related reporting activities as mandated by federal legislation and OMB guidance;
  • Developing the proper policy and guidance for implementation of information privacy protections, including full compliance with federal laws, regulations, and policies relating to information privacy;
  • Maintaining appropriate documentation regarding compliance with information privacy laws, regulations, and HHS policies;
  • Ensuring the Department’s privacy compliance efforts are ongoing, including reviewing documented information privacy procedures to ensure that they are comprehensive and up-to-date, and coordinating revision, as necessary;
  • Providing training for the Department’s employees, contractors, and stakeholders on completing PIAs;
  • Providing training regarding the information privacy laws, regulations, policies, and procedures governing the Department’s handling of PII; and
  • Maintaining a central policy-making role in the Department’s development and evaluation of legislative, regulatory, and other policy proposals pertaining to information privacy issues, including those relating to the agency’s collection, use, sharing, and disclosure of PII.

5.2           OPDIV Level Roles and Responsibilities

OPDIVs are responsible for conducting an initial PIA on each system and maintaining a current PIA throughout the system’s existence.  OPDIVs shall complete each PIA and promote it to the Department for review.  Instructions for doing this, as well as for demoting PIAs, can be found in the PIA Standard Operating Procedures. Please note that the responsibilities listed for each role may differ slightly from OPDIV to OPDIV. This is contingent upon the roles of individuals within an OPDIV, and often times the same individual may have dual roles.

5.2.1    OPDIV CISO

The OPDIV CISOs are responsible for:

  • Reporting to the HHS CISO on the effectiveness of the OPDIV’s information privacy program, including any progress of remedial actions;
  • Managing internal privacy reviews of the OPDIV’s business cases, alternatives analyses, and other specific investment documents;
  • Obtaining contractual assurances from third parties to ensure that the third party will protect PII in a manner consistent with the privacy practices of the Department and applicable laws, before enabling access to PII;
  • Ensuring that all employees and contractors comply with the privacy practices of the Department and applicable laws;
  • Establishing a framework to facilitate the development and maintenance of PIAs for all systems;
  • Managing and certifying an inventory of all current and proposed investments that contain a privacy control component;
  • Coordinating privacy reporting activities as mandated by federal privacy legislation and OMB guidance;
  • Coordinating with the OPDIV’s SOP to develop the organization’s information privacy program;
  • Integrating and implementing privacy policies, procedures, and practices that are consistent with Department requirements to assure that systems, programs, and data are secure and protected from unauthorized access that might lead to the alteration, damage, or destruction of automated resources, and unintended release of data;
  • Documenting security and privacy considerations in acquisition documents, and maintaining contractor compliance in a manner consistent with the privacy practices of the Department; and
  • Supporting general privacy awareness and role-based training activities for all personnel using, operating, supervising, and/or managing IT systems.

5.2.2    OPDIV Senior Official for Privacy (SOP)

The SOP title was extended by the Department to each OPDIV to effectively meet the reporting requirements outlined in OMB M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management.  The agency requirement for the title is outlined in OMB M-05-08, Designation of Senior Agency Officials for Privacy.  OPDIV SOPs are responsible for:

  • Reviewing completed PIAs and attesting that they are adequately and accurately completed;
  • Promoting PIAs to the Department and the SAOP once complete or, if errors are found, seeking revisions from the PIA author;
  • Tracking and maintaining all PIA activities in the Department’s PIA reporting tool;
  • Reporting to the HHS CISO—in coordination with the OPDIV CISO—the effectiveness of the organization’s information privacy program, including progress of remedial actions;
  • Establishing and implementing privacy policies, procedures, and practices consistent with Department privacy requirements, in coordination with the OPDIV CISO;
  • Coordinating with the OPDIV CISO and privacy stakeholders to obtain contractual assurances from third parties to ensure that the third party will protect PII in a manner consistent with the privacy practices of the Department;
  • Establishing an OPDIV policy framework to facilitate the development and maintenance of PIAs for all systems based on Department and federal legislative requirements;
  • Coordinating and ensuring that privacy education and awareness activities, specific to the OPDIV privacy culture, are established for all personnel using, operating, supervising, and/or managing computer systems;
  • Tracking and maintaining all PIA activities in the current PIA reporting tool;
  • Coordinating with OPDIV budgetary offices to ensure PIA and SORN activities are included as part of Exhibit 300 development(2);
  • Determining whether systems are allowed to operate following consideration of the security controls that protect the integrity of PII.
  • Reviewing and approving OPDIV FISMA and Privacy Management Report for submission to the Department;
  • Coordinating OPDIV policy, guidance, and system-level documentation to ensure Department management, technical, and operational privacy requirements are addressed;
  • Supporting the Department SAOP in ad hoc privacy reporting activities, including the maintenance of President’s Management Agenda (PMA) and quarterly FISMA reporting activities;
  • Making recommendations to senior level officials with budgetary authority to allocate proper resources to mitigate privacy weaknesses found in system PIAs;
  • Complying with and maintaining PMA privacy goals; and
  • Providing notification to the Department when new PIAs have been completed and/or existing PIAs have been updated.

5.2.3    OPDIV Privacy Contact

The OPDIV Privacy Contact is responsible for:

  • Serving as a point of contact (POC) for issues related to the Privacy Act within the OPDIV;
  • Maintaining awareness of privacy laws, regulations, and issues within the OPDIV;
  • Maintaining an OPDIV SORN website to post current SORNs per the guidance of the Department Privacy Act Officer; and
  • Supporting the OPDIV SOP and OPDIV CISO in completing required reviews, as defined by OMB Circular A-130.

 

5.2.4    System PIA Author

The role of the PIA author can be filled by the OPDIV Information System Security Officer (ISSO), a system owner, or any other any other individual as designated by the OPDIV SOP.  Responsibilities for the PIA author include:

  • Coordinating with appropriate OPDIV privacy stakeholders and completing PIAs;
  • Identifying additional resources needed to complete PIAs;
  • Submitting completed PIAs to the OPDIV SOP;
  • Collaborating with the OPDIV SOP and system owners to collect information needed to complete PIAs;
  • Providing updates, at the direction of the OPDIV CIO and the SOP, to OPDIV management on the progress of PIA completion; and
  • Determining the adequacy of the privacy controls that protect PII.

5.2.5    System Owners/ Program Managers

The system owners/program managers are responsible for:

  • Coordinating with appropriate OPDIV privacy stakeholders to complete system PIAs;
  • Submitting complete PIAs to the OPDIV SOP and/or system or program management staff for review, as coordinated by OPDIV; and
  • Working with the OPDIV SOP and system owners to collect information needed to complete PIAs.

 

5.2.6    Website Owners/Administrators

The website owners/administrators are responsible for:

  • Ensuring that OPDIV websites do not employ persistent tracking technologies, or if technologies are in use, written authorization is issued from the HHS Secretary on an annual basis;
  • Identifying additional resources needed to complete machine-readable privacy policies;
  • Implementing, testing, and maintaining machine-readable privacy policies on existing websites and websites in development;
  • Implementing, testing, and maintaining machine-readable policy reference files on any Web server that hosts an HHS website; and
  • Ensuring that a privacy policy has been developed and is accessible as a link on each OPDIV webpage.

 

6 Applicable Laws and Guidance

HHS is responsible for implementing and administering an information security program to protect its information resources.  The program will comply with applicable public laws, federal regulations, and Executive Orders (EO), including FISMA; the Privacy Act of 1974; the Health Insurance Portability and Accountability Act of 1996(HIPAA); OMB Circular A-130, Management of Federal Information Resources, dated November 28, 2000; OMB M-05-08, Designation of Senior Agency Officials for Privacy, dated February 11, 2005; OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated May 22, 2007; and OMB M-08-21, FY08 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated July 14, 2008.  To meet these requirements, the Department has instituted the HHS Information Security and Privacy Program Policy document and the accompanying HHS Information Security Program Handbook.

 

6.1           Federal Statutes

Public laws require federal agencies to protect the privacy of PII residing within their agencies, improve the management of IT resources, and establish agency IT security programs.  Applicable statutes and major legislation, such as the E-Government Act of 2002 and the Privacy Act of 1974, are described below.  Other federal authorities referenced in this policy are listed in HHS PIA Standard Operating Procedures.

The material in this policy is consistent with federal laws and guidance existing at the time it was drafted.  Updates will be made as federal legislation and regulations are modified or developed.

6.1.1    The Privacy Act of 1974

The Privacy Act of 1974 protects the privacy of individuals by establishing “Fair Information Practices” for the collection, maintenance, use, and dissemination of information by federal agencies.  The Privacy Act, along with its accompanying case law, is the most significant milestone in the history of the protection of the privacy of personal information held by the federal government.  Many subsequent laws, regulations, and guidance build upon the principles first articulated in thePrivacy Act. 

6.1.2    The E-Government Act of 2002

Title II of the E-Government Act of 2002 requires federal agencies to conduct PIAs before developing or procuring IT systems that collect, maintain, or disseminate PII.  Once completed, the agency’s CIO, or an equivalent official, shall review the PIAs.  Additional requirements, include making PIAs publicly accessible and posting a machine-readable privacy notice on publicly facing websites.

Title III of the E-Government Act, also known as FISMA, superseded and made permanent some of the provisions of the Government Information Security Reform Act of 2000(GISRA).  FISMA amends the Paperwork Reduction Act of 1995 (PRA) by adding a new subchapter on information security that requires certain program management, evaluation, and reporting activities, such as performing an annual self-assessment and conducting an independent assessment by the Inspector General (IG) of each agency.

6.1.3    The Children’s Online Privacy and Protection Act of 1998 (COPPA)

COPPA applies to private sector websites that collect personal information online from children under the age of 13.  OMB M-00-13, Privacy Policies and Data Collection on Federal Web Sites, dated June 22, 2000, extended the provisions of COPPA to federal websites.  COPPA identifies the content that a website operator shall include in a privacy policy, outlines when and how to seek verifiable consent from a parent, and specifies the responsibilities an operator has for protecting children’s privacy and safety online.

6.1.4    The Clinger-Cohen Act of 1996

The Clinger-Cohen Act of 1996 (which includes both the Information Technology Management Reform Act and the Federal Acquisition Reform Act) is intended to improve the productivity, efficiency, and effectiveness of federal programs through the improved acquisition, use, and disposal of IT resources.  Among other effects, the Act makes agencies responsible for IT resource acquisition and management under the guidance of the CIO and emphasizes that value shall be maximized and risk shall be minimized in capital planning and budget processes.  In effect, the Clinger-Cohen Act places the burden of incorporating privacy controls into IT investments at the agency and CIO levels.

6.1.5    The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA affects the health insurance industry and contains provisions under the heading of “Administrative Simplification” that govern how government and private sector health care institutions handle protected health information (PHI), a subset of “individually identifiable health information” or PII.  Pursuant with these provisions, regulations published in 2000 established standards for providing notice on how to use and disclose health information collected from users under a covered entity’s services.  These regulations also grant certain rights to individuals, including the right to see one’s health records and to request corrections or other amendments to those records.  These regulations apply to both written and oral PHI.

Further discussion of HIPAA requirements, compliance, and implementation can be found in the HHS HIPAA Compliance Guide and the HHS Office of Civil Rights (OCR) HIPAA Privacy Web page at http://www.hhs.gov/ocr/hipaa/.

 

6.1.6    The Paperwork Reduction Act of 1995 (PRA)

PRA focuses on increasing the efficiency of the federal government’s information collection practices.  PRA specifies that CIOs shall improve protection for the privacy and security of information under their agency’s control.  PRA also created the Office of Information and Regulatory Affairs (OIRA) within OMB to provide central oversight of information management activities across the federal government.  Furthermore, the PRA requires agencies to receive an OMB information collection approval number (also known as an “OMB control number”) for an IT system, prior to using that system to collect information from any person.

 

6.1.7    The Computer Matching and Privacy Protection Act of 1988

The Computer Matching and Privacy Protection Act of 1988 added several new provisions to the Privacy Act of 1974.  “Computer matching” occurs when federal and/or state agencies share PII.  Agencies use computer matching to conduct many government functions, including, but not limited to, establishing or verifying eligibility for federal benefit programs, and identifying payments/debts owed to government agencies.  The Computer Matching and Privacy Protection Act requires agencies engaged in computer matching activities to:

  • Provide notice to individuals if their PII is being computer matched;
  • Allow individuals the opportunity to refute adverse information before having a benefit denied or terminated; and
  • Establish data integrity boards to oversee computer-matching activities.

6.1.8    The Freedom of Information Act of 1966 (FOIA)

FOIA requires all agencies of the executive branch to disclose federal agency records or information upon receiving a written request from any individual, except for those records (or portions of them) that are protected from disclosure by certain exemptions and exclusion. (3)

 

6.2               OMB Guidance

The Department shall also comply with OMB guidance when implementing the previously mentioned legislation.  This section highlights important OMB memoranda on privacy and security.

6.2.1    OMB Circular A-130, Appendix III

OMB Circular A-130, Management of Federal Information Resources, Appendix III, dated November 28, 2000, requires agencies to implement security requirements for, and to protect personal information in, automated information systems.  Appendix III provides specific guidelines for implementing these requirements, including a minimum set of controls for federal automated information programs.  Appendix III also assigns federal agency responsibilities for the security of automated information; and links agency automated information security programs and agency management control systems established in accordance with OMB Circular A-123, Management Accountability and Control, dated December 21, 2004.  OMB Circular A-130 requires agencies to adopt three types of security controls:

  • Assigning responsibility for the security of IT systems to a person with the appropriate qualifications, ability, and authority to provide security;
  • Developing system security plans that shall be incorporated into the organization’s information resource management planning process, consistent with guidance issued by NIST; and
  • Reviewing security controls whenever significant modifications are made, or at least once every three years.  The scope and frequency of the review shall be commensurate with the acceptable level of risk, as well as whether PII is contained in the system.

6.2.2    OMB Circular A-11

OMB Circular A-11, Preparation, Submission, and Execution of the Budget, dated June 26, 2008, provides guidance to federal agencies regarding the preparation and submission of budget estimates to OMB.  Section 31.8 of OMB Circular A-11 requires that agency estimates “reflect a comprehensive understanding of OMB security policies and NIST guidance.”  This understanding must be supported by the following measures:

  • Identifying additional security controls for systems that promote or permit public access, other externally accessible systems, and those that are interconnected with systems over which program officials have little or no control;
  • Demonstrating how the agency ensures the effective use of security controls and authentication tools to protect privacy for those systems that promote or permit public access; and
  • Demonstrating how the agency ensures that handling PII is consistent with relevant government-wide and agency processes.

6.2.3    OMB Memorandum 01-05

OMB M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy, dated December 20, 2000, provides guidance on implementing the Computer Matching and Privacy Protection Act of 1988.  Prior to any data sharing, the guidance states that agencies shall “review and meet the Privacy Act requirements for computer matching, including developing a computer matching agreement and publishing notice of the proposed match in the Federal Register.”  The memorandum then states that it “puts forth principles on protecting personal privacy when conducting inter-agency data sharing,” including:

  • Notice
  • Consent, as appropriate
  • Re-disclosure limitations
  • Accuracy
  • Security controls

While M-01-05 stresses these privacy protections, it also discusses additional privacy protections in a section titled “Other Guidance”.  These additional privacy protections are:

  • Employing the principle of minimization;
  • Employing the principle of accountability; and
  • Conducting PIAs.

6.2.4    OMB Memorandum 03-22

OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated September 30, 2003, directs agencies to conduct reviews on how technology is implemented to collect new information, and how to collect PII with a recently purchased or newly developed IT system.  According to OMB M-03-22, PIAs shall be conducted following any major changes, including, but not limited to:

 

  • Conversions:  A conversion from paper-based methods to electronic systems.
  • Anonymous to Non-Anonymous:  The system’s function, as applied to an existing information collection, changes anonymous information into PII.
  • Significant System Management Changes:  In the case that new uses of an existing IT system, including application of new technologies, significantly change the process of managing PII in the system.
  • Significant Merging:  When agencies adopt or alter business processes so that government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated.
  • New Public Access:  When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system, which can be accessed by the public.
  • Commercial Sources:  PII, obtained from commercial or public sources, is systematically integrated into the existing information system’s database.
  • New Interagency Uses:  When agencies work together on shared functions involving significant new uses or exchanges of PII.
  • Internal Flow or Collection:  When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional PII.
  • Alteration in Character of Data:  When new PII added to a collection raises the risks to personal privacy, such as the addition of health or privacy information.

6.2.5    OMB Memorandum 05-08

OMB M-05-08, Designation of Senior Agency Officials for Privacy, dated February 11, 2005, provides guidance, which aids in establishing the role of the SAOP as having overall Department-wide responsibility for information privacy issues; overall responsibility and accountability for ensuring the Department’s implementation of information privacy protections; and playing a central role in overseeing, coordinating, and facilitating the Department’s privacy compliance.

6.2.6    OMB Memorandum 06-16

OMB M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006, recommends that agencies follow a checklist for protection of remote information provided by NIST, as well as four additional items provided by OMB.  This guidance is an effort to properly safeguard information assets, while using IT. 

6.2.7    OMB Memorandum 07-16

OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated May 22, 2007, reinforces the recommendations set forth in M-06-16 and provides guidance to agencies on how to make a continued effort to safeguard PII and reduce the risk of a PII breach.  Attachment 1 of the document includes the requirement to “review and reduce the volume of personally identifying information.”  The requirement further states that “agencies shall now review their current holdings of personally identifiable information and ensure, to the maximum extent practicable, such holdings are accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the proper performance of a documented agency function.”

6.2.8    OMB Memorandum 08-09

OMB M-08-09, New FISMA Reporting Requirements for FY08, dated January 18, 2008, provides four additional privacy requirements for which agency progress will be evaluated against during the fiscal year 2008 (FY08) FISMA submission.  The first requirement outlined in M-08-09 requires agencies to report on “the number of each type of privacy review conducted during the last fiscal year.” 

6.2.9    OMB Memorandum 08-21

OMB M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated July 14, 2008, assigns responsibility to and provides guidance for the SAOP on how to complete the new privacy questions in the annual FISMA report. 

 

7 Information and Assistance

All Department OCIO policies, standards, procedures and information security controls will be posted on the HHS Internet (http://www.hhs.gov/ocio/policy/index.html) and the HHS Intranet  (http://intranet.hhs.gov/infosec/policies_memos.html).  All questions, comments, suggestions, or requests for further information should be directed to the HHS Information Security and Privacy Program at (202) 205-9581.

 

8 Effective Date/Implementation

The effective date of this Policy is the date the policy is approved.

These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.  It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

9 Approval

 

 

__________________/s/_____________            February 9, 2009_______

Michael W. Carleton                                                  DATE
HHS Chief Information Officer (CIO)                                                           

 

Glossary

Administrative Controls – Safeguards to ensure proper management and control of information and information systems.  These safeguards include policy, PIAs, and certification and accreditation programs.  (See NIST SP 800-12.)

 

Availability – A requirement intended to ensure that systems work properly, and service is not denied to authorized users.  (See NIST SP 800-12.)

 

Confidentiality – A requirement that private or confidential information not be disclosed to unauthorized individuals.  (See NIST SP 800-12.)

 

Cookie – Information that a website puts on an individual’s computer so that it can remember something about the user at a later time.  See also: persistent cookie, session cookie.

 

General Support System (GSS) – An interconnected set of information resources under the same direct management control, which shares common functionality.  A GSS normally includes hardware, software, information, data, applications, communications, and people.  A GSS can be, for example, a local area network (LAN), including smart terminals that support a branch office, an agency-wide backbone, a communications network, a Department data processing center and its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO).  (Defined in OMB Circular A-130, (A)(2)(c).)

 

Integrity – The degree to which information is timely, accurate, complete, and consistent.  Data integrity” refers to the quality that is preserved when information and programs are changed only in a specified and authorized manner.  “System integrity” refers to the quality that is demonstrated when a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.  (See NIST SP 800-12.)

 

Non-Major Application – Any initiative or investment not meeting the definition of a major application defined above but is part of the agency's IT portfolio.  (Defined in OMB Circular A-11, Section 53.4)

 

Persistent Cookie – A cookie that is stored on the user’s hard drive and remains there until the user deletes it or it expires.

 

Personally identifiable information (PII) – Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.  (Defined in OMB Memorandum 06-19.)

                         

Physical Security Controls – Measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.  These safeguards might include protections against fire, structural collapse, plumbing leaks, physical access controls, and controls against the intercept of data.  (See NIST SP 800-12.)

 

Privacy Impact Assessment (PIA) – A methodology that provides IT security professionals with a process for assessing whether appropriate privacy policies, procedures, and business practices—as well as applicable administrative, technical and physical security controls—have been implemented to ensure compliance with federal privacy regulations.

 

Protected Health Information (PHI) – any individually identifiable health information. “Identifiable” refers not only to data that is explicitly linked to a particular individual (that's identified information). It also includes health information with data items which reasonably could be expected to allow individual identification.  (Defined in Health Insurance Portability and Accountability Act [HIPAA])

 

Record – Any item, collection, or grouping of information about individuals that is maintained by an agency, including, but not limited to, their education, financial transactions, and/or medical, criminal, or employment history and that contains their name; or containing the identifying number, symbol, or other identifying information assigned to the individual, such as a finger or voice print or a photograph.  (See 5 U.S.C. §552a(a)(4)).

 

Routine Use – Regarding the disclosure of a record, the use of such record for a purpose that is compatible with the purpose for which it was collected.

 

Session Cookie – A small file, stored in temporary memory, containing information about a user that disappears when the user’s browser is closed.  Unlike a persistent cookie, no file is stored on the user’s hard drive.

 

System – An organized assembly of IT resources and procedures integrated and regulated by interaction or interdependence to accomplish a set of specified functions.

 

System of Records Notice (SORN) – A group of records under the control of any agency where information is retrieved by the name of the individual, by some identifying number or symbol, or by other identifiers assigned to the individual. All systems with Privacy Act information contained within them are required to publish a “Records Notice” in the Federal Register that informs the public what information is contained in the system, how it is used, how individuals shall gain access to information about themselves, and other specific aspects of the system.

 

Technical Controls – Safeguards that are generally executed by the computer system.  Technical safeguards include password protection, firewalls, and cryptography.  (See NIST SP 800-12.)

 

Unique Project Identifier (UPI) – An identifier that depicts agency code, bureau code, mission area (where appropriate), part of the exhibit where investment will be reported, type of investment, agency four-digit identifier, year the investment entered the budget, and mapping to the Federal Enterprise Architecture.  (See OMB Circular A-11, Section 53.8.)

 

Website – A collection of interlinked web pages (on either internet or intranet sites) with a related topic, usually under a single domain name, which includes an intended starting file called a “home page.”  From the home page, access is gained to all the other pages on the website.

 

Web Bug – An object embedded into a web page that is used for tracking users that have viewed the page.

 

 

NOTES

(1) Per the memorandum Applicability of the Federal Information Security Management Act (FISMA) to Department of Health and Human Services (HHS) Grantees, released October 29, 2007, FISMA requirements follow agency information into any IT system that uses it or processes it on behalf of the agency.  That is, FISMA applies when the ultimate responsibility and accountability for control of the information continues to reside with the agency.  As such, FISMA applies to grantees only when they collect, store, process, transmit or use information on behalf of HHS or any of its component organizations.  The same rationale holds true for completion of a PIA.

(2) For more information on Exhibits 300, see OMB Circular A-130, Management of Federal Information Resources at http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html.


(3) For more information on FOIA, its exemptions, and exclusions, see the Department of Justice, FOIA Guide available at http://www.usdoj.gov/04foia/04_3.html


Content last reviewed on March 23, 2010