privacy impact assessment training - energy
TRANSCRIPT
![Page 1: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/1.jpg)
PRIVACY IMPACT ASSESSMENT
TRAINING
Jerry Hanley
Chief Privacy Officer
Department of Energy 2012 Information Management Conference
![Page 2: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/2.jpg)
AGENDA
• Background
• What is a PIA?
• Who? When? Why?
• PIA Process Overview
• Guidelines
• Completing the PIA
• Module I – PNA
• Module II – PII Systems & Projects
• Signature & Submission
1
![Page 3: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/3.jpg)
BACKGROUND
Legislative and Executive Branch
Drivers
• Privacy Act of 1974
• E-Government Act, Sec. 208
• OMB Memoranda
2
![Page 4: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/4.jpg)
BACKGROUND
DOE O 206.1, Department of Energy
Privacy Program 4. e. “All unclassified information systems shall have a Privacy
Impact Assessment (PIA) …..”
3
![Page 5: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/5.jpg)
What is a PIA?
An analysis of how information is handled: (i) to ensure
handling conforms to applicable legal, regulatory, and policy
requirements regarding privacy, (ii) to determine the risks and
effects of collecting, maintaining and disseminating information
in identifiable form in an electronic information system, and (iii)
to examine and evaluate protections and alternative processes
for handling information to mitigate potential privacy risks. (OMB
M-03-22)
4
![Page 6: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/6.jpg)
A Coordinated Process
5
Enterprise Architecture
OMB Exhibits
E-Gov & FISMA
Records Management
Asset Management
Procurement
Privacy Impact Assessment
C&A Documentation
System Security Plan
Risk Assessment
Information
& System
Lifecycles
![Page 7: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/7.jpg)
Protecting PII
• Lifecycle Approach
• Risk-based Approach
• Context is Key – If DOE is collecting PII as part of its
mission, it is required to safeguard and maintain
accurate information.
• Report Breaches Immediately – Whether suspected
or confirmed.
6
![Page 8: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/8.jpg)
When to Perform A PIA?
1. Designing or procuring IT systems
2. Initiating a new electronic collection of information in
identifiable form
3. Significant modification of an existing information system.
4. Prior to using a social media third-party website or
application
7
![Page 9: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/9.jpg)
Who Completes the PIA?
The PIA is the System Owner’s responsibility.
Collaboration is Key.
• The System Owner must work with the system developers
(for new systems), data owners, and the Privacy Act Officer
to complete the PIA.
• PIAs require collaboration with program experts as well as
experts in the areas of information technology, cyber security,
legal, records management, procurement and asset
management.
8
![Page 10: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/10.jpg)
PROCESS OVERVIEW
9
![Page 11: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/11.jpg)
What is the Approval Process?
1. Submit Completed PIAs to CPO
• Copy relevant program staff
2. CPO Works with System Owner to
address issues
3. CPO Coordinates Review, Approval
and Posting of PIAs
10
![Page 12: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/12.jpg)
Guidelines
• Please Do Not Modify the PIA Template
• Answer all questions and remove guidance text from
template
• Organizations may add content to the PIA for their internal
use only.
• Date and obtain System Owner signature before submitting
to the CPO .
11
![Page 13: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/13.jpg)
Guidelines
Please Do Not Disclose Sensitive Information
• Refer to other security documents, such as the System
Security Plan.
• Use version numbers & maintain local copies of all
supporting documentation.
Please Complete the PIA Electronically
• Please do not submit completed PIAs that have been hand
written.
12
![Page 14: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/14.jpg)
Completing the PIA Template
Module I – Privacy Needs
Assessment
13
System Owners are
required to complete
this 1st step of the
DOE PIA.
![Page 15: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/15.jpg)
PIAs Affecting Members of the
Public
Write in plain language at a high level
so PIAs are easily understood by the
public.
14
![Page 16: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/16.jpg)
PNA - DETAIL
• See Guidance on
Defining Information
Systems
• Unique ID (UID)
15
System Owner
has Ultimate
Responsibility!
![Page 17: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/17.jpg)
PNA - Detail
• Indicate all Information
types.
• Applicability of any
software tools, such as
Data Leak Prevention or
Redaction technologies?
16
![Page 18: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/18.jpg)
The PNA Threshold Questions
17
The PNA is designed to ensure privacy is addressed
for all information systems in an efficient manner by
asking four threshold questions.
![Page 19: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/19.jpg)
The PNA Threshold Questions
18
If the answer to ALL Threshold
Questions is “No,” proceed to the
signature page.
Submit the completed PNA (Module
I) with signature page to the CPO.
The PNA helps to efficiently determine whether additional assessment is
necessary. If there is doubt, complete Module II.
![Page 20: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/20.jpg)
Module II – PII Systems &
Projects
19
Module II must be completed for
all systems if the answer to any
of the four (4) threshold
questions is “Yes.”
All questions must be
completed. If appropriate, an
answer of N/A may be entered.
![Page 21: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/21.jpg)
Module II – PII Systems &
Projects
20
You must reference an Authority.
Consent is preferred, but not
always required.
![Page 22: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/22.jpg)
Module II – PII Systems &
Projects
21
DOE’s mission is primarily fulfilled by contractors.
Impact Analysis is the heart of the PIA.
![Page 23: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/23.jpg)
Module II – PII Systems &
Projects
22
NOTICE
• What is a
SORN?
• Must I reference
a SORN?
![Page 24: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/24.jpg)
Module II – PII Systems &
Projects
23
DATA SOURCES
& DATA USE
• Where does the
PII come from?
• Who and How
will it be used?
![Page 25: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/25.jpg)
Module II – PII Systems &
Projects
24
DATA USE
Monitoring
• Health
• Legal
• Investigation
![Page 26: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/26.jpg)
Module II – PII Systems &
Projects
25
MANAGEMENT
& MAINTENANCE
• Accuracy
• Relevance
• Completeness
• Minimization
• Retention
• Disposition
![Page 27: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/27.jpg)
Module II – PII Systems &
Projects
26
ACCESS,
SAFEGUARDS
& SECURITY
• Security Enables
Privacy
• Use High-level
Language
• Refer to Security
Plans: include dates
& versions
![Page 28: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/28.jpg)
Signature & Submission
27
May Submit PIA
Electronically
or by Mail
Process Times
![Page 29: PRIVACY IMPACT ASSESSMENT TRAINING - Energy](https://reader031.vdocuments.site/reader031/viewer/2022012020/61688998d394e9041f705b44/html5/thumbnails/29.jpg)
Privacy Contact Information
28
Jerry Hanley
Chief Privacy Officer
U.S. Department of Energy
(202) 586-0483
DOE Privacy Website:
From energy.gov click on Privacy Program at bottom of
the DOE homepage.