7/21/2017. Privacy Impact Assessments. Privacy Impact Assessments. What is a Privacy Impact Assessment (PIA)? What is a PIA?

Transcription

1 Presented by Khaliah Barnes Attorney Advisor Office of Privacy and Civil Liberties U.S. Department of Justice For the 10 th Annual American Society of Access Professionals, Inc. National Training Conference July 24, 2017 What is a Privacy Impact Assessment (PIA)? Designed to achieve two goals: 1. Engage in a processof risk analysis and mitigation from design through launch of system; and 2. A show your work document explain to the public the risks and mitigation measures. 2 What is a PIA? -continued Section 208 of the E-Government Act of 2002 requires PIAs for all Federal government agencies that: 1. Develop or procure new information technology involving the collection, maintenance, or dissemination of information in identifiable form from or about members of the public; or 2. Initiate a new collection of information that (I) will be collected, maintained, or disseminated using information technology and (II) includes any information in identifiable form for 10 or more persons. 3 1

2 What is a PIA? -continued A PIA is an assessmentof how: information in identifiable form (IIIF) is handled; to determine the risks and effects of collecting, maintaining, and disseminating IIIF in an electronic information system; and to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. 4 What is a PIA? continued Section 208 requires that PIAs analyze and describe: (I) what information is to be collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; (VI) how the information will be secured; and (VII)whether a system of records is being created under section 552a of title 5, United States Code, (commonly referred to as the Privacy Act ). 5 OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002(2003) M Guidance applies to: All executive branch departments and agencies, and their contractors that use information technology or that operate websites for purposes of interacting with the public; Relevant cross-agency initiatives Agencies must: Conduct PIAs for electronic information systems and collections; Post privacy policies on public agency websites; Translate privacy policies into a standardized machine-readable format; Report annually to OMB on the agency s compliance with E-Government Act of 2002, Section

3 Department of Justice (DOJ) PIAs Approved by the agency s reviewing official and if appropriate, made public Most recent Department PIA template posted on the OPCL website at Components may, at times, be able to use shorter template that meets minimum requirements. 7 What is the purpose of a PIA? The PIA demonstrates that agencies consider privacy from the beginning stages of a system s development and throughout the system s life cycle This ensures that privacy protections are built into the system from the start not after the fact when they can be far more costly or could affect the viability of the project 8 Determining whether a PIA is required Is information in identifiable form (IIIF) collected, maintained, disseminated in the system? Yes Do any exceptions apply? No IIF is collected, maintained, or disseminated by the system Internal government operations Information previously assessed under evaluations similar to PIA Legacy system with no changes creating new privacy risks Is it for the use of a third-party social media application? See OMB Memo M makes PII available Does Agency-wide PIA cover use of application? 9 3

4 When should I conduct an assessment? A PIA should begin simultaneously with the development or procurement of IT systems or projects that collect, maintain, or disseminate information in identifiable form. 10 When should I conduct an assessment? - continued Do National Security Systems need PIAs? Yes. Although, Section 208 of the E-Government Act does not apply to national security systems, it is the Department s policy that PIAs must also be conducted for national security systems and submitted to the Office of Privacy and Civil Liberties (OPCL) for review and approval by the Chief Privacy and Civil Liberties Officer (CPCLO). 11 Who should conduct an assessment? The PIA document should be written and reviewed by a combination of: The component s privacy officials (Senior Agency Office for Privacy, component officials for privacy, privacy office); IT security staff System manager/owner; and The program personnel responsible for the system on the business side and system side 12 4

5 Who should prepare an assessment? - continued The component is responsible for preparing the PIA, including the completion of all internal component reviews, and obtaining the signature of the appropriate component Chief Information Security Officer (CISO). The CISO shall review all PIAs, assessing whether the system controls meet the security requirements, and shall indicate his/her approval of the system s technical description and security by signing the PIA document. 13 Preparing a PIA document Must publish PIAs When practicable Exceptions for classified systems Use clear and understandable language Vary the length/breadth according to system complexity 14 Preparing a PIA document The Executive Summary Short paragraph explaining: Name of the component and system, technology, program, or pilot (hereinafter referred to as system ) and a brief description of the system and its function; The purpose of the system; and An explanation of why a PIA was completed. 15 5

6 Preparing a PIA document Tips on successfully completing a PIA document Use plain language audience is general public unfamiliar with the system Spell out each acronym the first instance it is used it in the document Respond to each question with specific answer Cross-reference other privacy and security documents 16 Preparing a PIA document continued Tips on successfully completing a PIA document Define technical terms or references Clearly reference projects and systems and provide explanations Include the complete name of the reference when first referencing National Institute of Science and Technology (NIST) publications and other documents (e.g., NIST Special Publication , Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)). The abbreviated format may be used for subsequent references. Full names for NIST documents can be found at NIST s website 17 Reviewing a PIA document Agencies privacy offices typically review draft PIAs for: Legal sufficiency and compliance with E-Government Act of 2002 Privacy policy matters Agency privacy office and component collaboration is key The assessment is an iterative process! 18 6

7 Completing a PIA A PIA should be completed before a system s Authority to Operate (ATO). Depending on the system, the assessment may not be complete until right before a system is ready to operate. E.g. Voic system v. Next Generation Identification System At the Department of Justice, the PIA document, which captures the assessment, is approved by the CPCLO. 19 Publishing a PIA document PIA documents are typically made publically available OPCL has dedicated PIA webpage: Components may also post their PIA documents on a component-specific PIA webpage In certain circumstances, requirement to publish PIA may be waived 20 Updating an assessment and a PIA document It is critical to evaluate any changes to the system regarding their effect on individuals privacy Components must update their PIAs to reflect significant changes to information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form. Components should use the Privacy Threshold Analysis/Initial Privacy Assessment process to determine whether such changes would require a modification to an existing PIA or would require a new PIA. 21 7

8 Questions? 8