U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  1. Home
  2. Opog

Privacy Impact Assessment

Privacy Impact Assessment

Privacy Impact Assessment (PIA) is a process for determining the risks and effects of collecting, maintaining and disseminating information in identifiable form, in an electronic information system and for identifying and evaluating protections and alternative processes to mitigate the impact to privacy of collecting information in identifiable form.

The E-Government Act requires that agencies conduct a PIA before (i) developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form or (ii) initiating a new electronic collection of information that will be collected from 10 or more persons, other than agencies, instrumentalities, or employees of the Federal Government, and will be maintained or disseminated in an identifiable form, using information technology.

PIAs are conducted to ensure that there is no collection, storage, access, use or dissemination of identifiable information from or about members of the general public and businesses that is not needed or authorized, and that identifiable information that is collected is adequately protected. PIAs may address issues relating to the integrity and availability of data handled by a system, to the extent these issues are not already adequately addressed in a System Security Plan.

Operating units should begin the PIA process when they propose a new IT system through the budget process that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed. The conduct of a PIA is a multidisciplinary process, and operating units should coordinate the efforts of system managers as well as experts in information technology, security, and privacy law and policy in determining whether a PIA should be conducted and in drafting PIAs. The system manager and the system developer must work together to conduct the PIA. The system manager must address what data are to be collected or processed, how the data will be used, and who will be authorized to use the data. The system developer must address what system protections are being applied or will be applied to ensure adequate protection of the data.

To conduct an effective and comprehensive PIA, the system manager and developer should include in the review process those individuals who have expertise in the program area, legal issues, privacy, records management, human resources, and any other subject matter area that may be applicable to the system under review.

PIA Statement

The PIA statement is an analysis of how information is handled, including identification of IT risks and their resolution. The PIA statement must document the following elements:

  • Identifying information, including the OMB Exhibit 300 identification number; IT security system identification number and name; OMB information collection control number; and name, e-mail address, and phone number of a contact person.
  • Brief description of the system, its purpose, and the nature of the data that are to be protected.
  • Event or reason the PIA was conducted (e.g., initial PIA; new data collection; change in ongoing data collection; or reuse of existing data).
  • The law or regulation that authorizes the collection and maintenance of the information.
  • What information is being collected, maintained, or disseminated (e.g., nature and source).
  • Why the information is being collected, maintained, or disseminated (e.g., to determine eligibility).
  • Intended use of the information (e.g., to verify existing data).
  • With whom the information will be shared (e.g., another agency for a specified programmatic purpose).
  • What opportunities individuals or businesses have to decline providing information in the case of voluntary collections.
  • What opportunities individual or businesses have to consent to particular uses of the information and how they can grant consent.
  • How the information will be secured (i.e., management, operational, administrative, and technological controls).
  • How the system owner is complying with the requirement on page 7 in OMB Memorandum M-07-16 to "Log all computer-readable data extracts from databases holding sensitive information and verify each extract, including whether sensitive data has been erased within 90 days or its use is still required." Compliance with this requirement may be manual or electronic.
  • Whether the collection will result in the creation of a system of records within the meaning of the Privacy Act, and the number and name of the related Privacy Act System of Records Notice (SORN).
  • Whether the electronic and paper records in the system are covered by a records control schedule approved by the National Archives and Records Administration (NARA), including the schedule and item number(s), or, if not covered, the date when a schedule will be submitted to NARA.

The depth and content of the PIA statement should be commensurate with the size of the information system being assessed, the sensitivity of the information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information. For example, PIA statements for major information systems will reflect more extensive analyses of the consequences of the collection and flow of information; the alternatives to collection and handling as designed; privacy risk mitigation measures for each alternative; and the rationale for the final design choice or business process.

Systems Requiring PIA Statement

PIA statements must be completed for new systems and proposed information collections that contain personally identifiable information, including systems under development and systems undergoing major modifications.

PIA statements must be developed for all investigative, law enforcement case files, and human resources databases even if they were previously exempt because they have not been modified or contained information only about federal employees.

PIA statements must also be developed for any legacy systems containing PII for which a current PIA is not in force and up to date. These requirements expand upon those in OMB implementing guidance for the E-Government Act (OMB Memorandum M-03-22), and in the previous Commerce IT Privacy Policy (July 30, 2004). This policy requires operating units to conduct a PIA before developing or procuring IT systems or investments that collect, maintain, or disseminate information in identifiable form from or about members of the public, or initiating, consistent with the Paperwork Reduction Act, a new or significantly revised electronic collection of information in identifiable form.

Commerce extends the requirement for PIA statements to systems or collections of information that include business identifiable information before:

  • Developing or procuring IT systems or investments that collect, maintain, or disseminate information in identifiable form from or about companies or other business entities.
  • Initiating the collection, maintenance, or dissemination of information in identifiable form about companies or other business entities.

Commerce policy also extends the requirement for PIA statements to systems or information collections of personally identifiable or business identifiable information that are:

  • Part of new multi-agency projects in which Commerce or a Commerce operating unit is a participant.
  • Created, operated, or performed on a reimbursable basis by Commerce for another federal agency under an Interagency Agreement.

All PIA statements must specifically describe how the data extract log and verify requirement of OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, has been implemented for the system.

All PIA statements are also required to be updated where a system change creates new privacy risks. Examples include:

  • When a paper based records system is converted to an electronic system.
  • When an existing electronic system is modified so that previously anonymous information becomes identifiable.
  • When new uses of an existing IT system, such as the application of new technologies, significantly change how identifiable information is managed in the system.
  • When databases holding identifiable information are merged, centralized, matched with other databases, or otherwise significantly manipulated.
  • When user-authenticating technology (e.g., password, digital certificate, or biometric) is newly applied to an electronic information system accessed by members of the public.
  • When agencies systematically incorporate into existing IT systems databases of information in identifiable form purchased from commercial or public sources.
  • When agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form.
  • When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of identifiable information.
  • When new identifiable information that is added to the system increases the risks to personal privacy (e.g., the addition of medical or financial information).
  • When a system with identifiable information is relocated to a remote site or a facility not under the direct control of the Department (e.g., a contractor's processing facility).

In addition, operating units may conduct discretionary PIAs as they determine to be appropriate and necessary.

Systems Excluded from PIA Statement

A PIA statement is not required in the following circumstances:

  • For government-run websites, IT systems, or collections of information that do not collect or maintain information in identifiable form about members of the general public, contractors, or consultants.
  • For government-run public websites where the user is given the option of contacting the site operator for the limited purpose of asking questions or providing comments.
  • For national security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology. (See section 202(i) of the E-Government Act.)
  • When all elements of a PIA are addressed in a matching agreement governed by the computer matching provisions of the Privacy Act.
  • When all elements of a PIA are addressed in an interagency agreement permitting the merging of data for strictly statistical purposes and where the resulting data are protected from improper disclosure and use under Title V of the E-Government Act.
  • When operating units are developing IT systems or collecting non-identifiable information for a discrete purpose that does not involve matching with or retrieval from other databases that generate individual or business identifiable information.
  • For minor changes to an IT system or collection that do not create new privacy risks.

Although the E-Government Act and OMB guidance do not require that PIAs be conducted for systems that collect data about businesses, Commerce policy requires PIAs for systems with business identifiable information.

PIA and Commerce IT Security Program Policy

The implementation of security controls in accordance with the DOC IT Security Program Policy provides information that is helpful in conducting the PIA and ensuring that the PIA statement comprehensively addresses all the elements described above.

PIA, PRA and the Privacy Act

OMB reviews and clears information collections. Pursuant to the Paperwork Reduction Act (PRA), all new information collections subject to the PRA must be submitted to OMB. Operating units undertaking new information collections using electronic means for collecting, processing, or storing the information must conduct a PIA. The resulting PIA statement must be submitted through the Department to OMB along with the information collection request (ICR) unless it has been submitted to OMB as part of the business case development process. All elements required to be in the PIA statement must be addressed and identifiable in the context of the structure of the Paperwork Reduction Act Submission (OMB 83-I) for the ICR.

Operating units need not conduct a new PIA for simple renewal requests for information collections under the PRA, but must separately consider the need for a PIA when amending an ICR to collect information that is significantly different in character from the original collection.

Similarly, operating units may choose to conduct a PIA when developing a SORN required under the Privacy Act, in that the PIA and SORN overlap in content, e.g., the categories of records in the system, the uses of the records, and the policies and practices for handling. Operating units must separately consider the need to conduct a PIA when issuing a change to the SORN. For example, a change in the type or category of record added to the system may warrant a PIA.

PIA Process and Records Management

The PIA process is conducted to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form (i.e., records) in an electronic information system, and to identify and evaluate protections and alternative processes to mitigate the privacy impact of collecting information in identifiable form. As part of the PIA process, the system owner must evaluate whether the records in the system are being properly managed and disposed of in accordance with the Federal Records Act and records control schedules approved by the National Archives and Records Administration (NARA). Effective management of the records and the prompt disposal, in accordance with NARA-approved disposition schedules, of information in identifiable form will minimize the risks of unauthorized disclosure or premature disposal.

PIA Statement and Exhibit 300

The PIA statement must clearly indicate the link between the privacy system or information collection covered by the PIA and the related major information system described in OMB Exhibit 300, "Capital Asset Plan and Business Case Summary." The PIA should, if applicable, identify the Unique Project Identifier (UPI) of the Exhibit 300 business case to which it relates and whether it covers the complete system identified in the Exhibit 300 or only one of several subsystems or information collections that are part of the major system in the Exhibit 300. The Exhibit 300 must state whether there is an accompanying PIA statement.

If the privacy system cannot be linked to a UPI and Exhibit 300, the PIA should include another identifying number and/or an explanation why an Exhibit 300 is not applicable.

Each PIA statement must also identify the IT security system number and name to which the PIA applies. There may be multiple PIAs that link to the same security system, as in the case where applications containing different PII are hosted on the same general support system.

PIA Process for Review and Publication

When an operating unit conducts a PIA, the operating unit must send the resulting PIA statement for review to the Director, Office of IT Policy and Planning (OITPP), who the Commerce CIO has delegated the authority to review, approve, and publish PIAs. OITPP staff will consult with the operating unit to resolve any concerns. When concerns are resolved, the Director, OITPP, will submit OMB-mandated PIA statements addressing personally identifiable information to OMB for review.

The E-Government Act and OMB implementing guidance require agencies to make their mandatory PIA statements addressing personally identifiable information available to the public. The PIA statement should not be made publicly available to the extent that publication would raise security concerns or reveal national security or other sensitive information. A summary of the PIA that omits this sensitive information should be prepared for public availability. Identifiable information should not be included in the PIA statement and cannot be the basis for not making the PIA statement publicly available.

PIA statements associated with budget proposals submitted to OMB or prepared for submission to OMB are pre-decisional, and are not to be made public unless and until OMB approves the budget proposal and includes it in the President's Budget. PIA statements associated with information collection requests (ICRs) are not to be made public unless and until OMB approves the ICR.

Subject to the restrictions immediately above, at the completion of the Commerce and OMB PIA statement review process, the operating unit must publish the PIA statement or a summary of the PIA statement addressing personally identifiable information on its website. In the case of a PIA statement that is associated with a budget request in the President's Budget, the PIA statement or a summary of the PIA statement addressing personally identifiable information should be made available promptly to the public upon the delivery of the President's Budget to the Congress.

For Commerce-mandated PIAs that address business identifiable information and for other OMB-discretionary PIAs, the operating unit must send the completed PIA statement to the Director, OITPP, for review. These PIAs are conducted pursuant to Commerce policy; they are not sent to OMB. After review by the Director, OITPP, the operating unit is to make a decision, in consultation with the Director, OITPP, as to whether the PIA statement or a summary of it should be made publicly available on the operating unit's website.

Privacy Threshold Analysis

A Privacy Threshold Analysis (PTA) is used to determine if a system contains PII, whether a PIA is required, whether a SORN is required, and if any other privacy requirements apply to the information system. See the PTA template for information that must be inculded on the PTA.

Templates

PIA Brochure

Here is an overview of the same information about PIA in a brochure.