U.S. Department of Commerce
Office of the Chief Information Officer
Department of Commerce
- What is IT Privacy?
- What are the federal laws and guidance that relate to the protection of privacy for individuals and businesses?
- What are the privacy responsibilities of the Commerce Chief Information Officer (CIO)?
- What is a Privacy Impact Assessment (PIA)?
- For what systems or information collections must a PIA be completed?
- What is personally identifiable information (PII)?
- What is business identifiable information (BII)?
- When is a PIA statement not required?
- What is a PIA statement and what must it include?
- What is the relationship between the PIA and Commerce IT Security Program Policy?
- What is the relationship between the PIA and requirements under the Paperwork Reduction Act (PRA) and the Privacy Act?
- What is the relationship between the PIA process and records management?
- What is the relationship between the PIA statement and Exhibit 300?
- What is the process for the review and publication of the PIA?
- Who can provide additional information on this policy or other privacy issues?
Information Technology (IT) Privacy is the protection of personally identifiable or business identifiable information that is collected from respondents through information collection activities or from other sources and that is maintained by the Department of Commerce in its IT systems. For purposes of this policy, this information is termed “identifiable information.” Office of Management and Budget (OMB) guidance, consistent with the E-Government Act of 2002, protects personally identifiable information (PII). Commerce, through this policy, is extending the same protection to business identifiable information (BII).
Rapid advancements in computer technology make it possible to store and retrieve vast amounts of data of all kinds quickly and efficiently. These advancements have raised concerns about the impact of IT systems on the privacy of individuals and businesses. The Department of Commerce is committed to protecting identifiable information collected from individuals and businesses to the extent permitted by law. The Department will treat all identifiable information with fairness and respect, and ensure its integrity reflective of the stewardship responsibility for the information entrusted to it. To address these concerns, the Department of Commerce has adopted the following privacy principles:
- Data Minimization: The Department of Commerce will collect the minimal amount of information necessary from individuals and businesses consistent with the Department’s mission and legal requirements.
- Transparency: Notice covering the purpose of the collection and use of identifiable information will be provided in a clear manner. Information collected will not be used for any other purpose unless authorized or mandated by law.
- Accuracy: Information collected will be maintained in a sufficiently accurate, timely, and complete manner to ensure that the interests of the individuals and businesses are protected.
- Security: Adequate physical and IT security measures will be implemented to ensure that the collection, use, and maintenance of identifiable information is properly safeguarded and the information is promptly destroyed in accordance with approved records control schedules.
What are the federal laws and guidance that relate to the protection of privacy for individuals and businesses?
- The Privacy Act of 1974 (5 U.S.C. 552a) regulates the Federal Government’s collection, use, maintenance, and dissemination of information about individuals.
- Section 208 of the E-Government Act of 2002 (44 U.S.C. 3601 et seq.) establishes procedures to ensure the privacy of personal information in electronic records.
- The Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501 et seq.) is designed to reduce the public’s burden of answering unnecessary, duplicative, and burdensome government surveys.
- The Trade Secrets Act (18 U.S.C. 1905) provides criminal penalties for the theft of trade secrets and other business identifiable information.
- The Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501-06) regulates the online collection and use of personal information provided by and relating to children under the age of 13.
- OMB Circular A-130, “Management of Federal Information Resources,” establishes a policy for the management of Federal information resources, including automated information systems.
- OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, provides specific guidance to agencies for implementing Section 208 of the E-Government Act.
- OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, establishes requirements to review and reduce the volume of PII; eliminate the unnecessary use of social security numbers (SSN); and log all computer-readable data extracts from databases holding sensitive information and verify each extract, including whether sensitive data has been erased within 90 days or its use is still required (pages 6-8).
- OMB Memorandum M-06-16, Protection of Agency Sensitive Information, provides guidance for encrypting sensitive data on mobile computers and devices; allowing remote access only with two-factor authentication; using a time-out function for remote access; and logging all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.
- OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, requires that agencies conduct a review of their policies and processes, and take corrective action as appropriate to ensure adequate safeguards to prevent the intentional or negligent misuse of, or unauthorized access to, personally identifiable information.
The CIO has the responsibility for ensuring that identifiable information in IT systems is effectively protected and secured. Specific responsibilities include:
- Review PIAs, with the assistance of the Director, Office of IT Policy and Planning, who has been delegated authority to review and approve PIAs.
- Submit OMB-mandatory PIAs to OMB. The authority to submit has also has been delegated to the Director, Office of IT Policy and Planning.
- Prepare and submit to OMB an annual report on compliance with the privacy provisions of the E-Government Act of 2002.
- The CIO has been designated the Commerce Chief Privacy Officer, and serves as the Senior Agency Official for Privacy.
A PIA is a process for determining the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system, and for identifying and evaluating protections and alternative processes to mitigate the impact to privacy of collecting information in identifiable form.
The E-Government Act requires that agencies conduct a PIA before (i) developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form or (ii) initiating a new electronic collection of information that will be collected from 10 or more persons, other than agencies, instrumentalities, or employees of the Federal Government, and will be maintained, or disseminated in an identifiable form, using information technology.
PIAs are conducted to ensure that there is no collection, storage, access, use, or dissemination of identifiable information from or about members of the general public and businesses that is not needed or authorized, and that identifiable information that is collected is adequately protected. PIAs may address issues relating to the integrity and availability of data handled by a system, to the extent these issues are not already adequately addressed in a System Security Plan.
Operating units should begin the PIA process when they propose a new IT system through the budget process that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed. The conduct of a PIA is a multidisciplinary process, and operating units should coordinate the efforts of system managers as well as experts in information technology, security, and privacy law and policy in determining whether a PIA should be conducted and in drafting PIAs. The system manager and the system developer must work together to conduct the PIA. The system manager must address what data are to be collected or processed, how the data will be used, and who will be authorized to use the data. The system developer must address what system protections are being applied or will be applied to ensure adequate protection of the data.
To conduct an effective and comprehensive PIA, the system manager and developer should include in the review process those individuals who have expertise in the program area, legal issues, privacy, records management, human resources, and any other subject matter area that may be applicable to the system under review.
PIA statements must be completed for new systems and proposed information collections that contain personally identifiable information, including systems under development and systems undergoing major modifications.
PIA statements must be developed for all investigative, law enforcement case files, and human resources databases even if they were previously exempt because they have not been modified or contained information only about federal employees.
Commerce extends the requirement for PIA statements to systems or collections of information that include business identifiable information before:
- Developing or procuring IT systems or investments that collect, maintain, or disseminate information in identifiable form from or about companies or other business entities.
- Initiating the collection, maintenance, or dissemination of information in identifiable form about companies or other business entities.
Commerce policy also extends the requirement for PIA statements to systems or information collections of personally identifiable or business identifiable information that are:
- Part of new multi-agency projects in which Commerce or a Commerce operating unit is a participant.
- Created, operated, or performed on a reimbursable basis by Commerce for another federal agency under an Interagency Agreement.
All PIA statements must specifically describe how the data extract log and verify requirement of OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, has been implemented for the system.
All PIA statements are also required to be updated where a system change creates new privacy risks. Examples include:
- When a paper based records system is converted to an electronic system.
- When an existing electronic system is modified so that previously anonymous information becomes identifiable.
- When new uses of an existing IT system, such as the application of new technologies, significantly change how identifiable information is managed in the system.
- When databases holding identifiable information are merged, centralized, matched with other databases, or otherwise significantly manipulated.
- When user-authenticating technology (e.g., password, digital certificate, or biometric) is newly applied to an electronic information system accessed by members of the public.
- When agencies systematically incorporate into existing IT systems databases of information in identifiable form purchased from commercial or public sources.
- When agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form.
- When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of identifiable information.
- When new identifiable information that is added to the system increases the risks to personal privacy (e.g., the addition of medical or financial information).
- When a system with identifiable information is relocated to a remote site or a facility not under the direct control of the Department (e.g., a contractor’s processing facility).
In addition, operating units may conduct discretionary PIAs as they determine to be appropriate and necessary.
The term personally identifiable information refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
(OMB Memorandum M-07-16, Note 1). The definition of PII is very broad and makes no distinction between “sensitive” and “non-sensitive” PII.
Terms not specifically defined within this Memorandum (e.g., sensitive) should be considered to reflect the definition found in a commonly accepted dictionary. (OMB Memorandum M-07-16, Note 7). Examples include direct references such as name, address, social security number, and e-mail address. It also includes any information that could be used to reference other data elements that are used for identification, such as gender, race, and date of birth.
For the purpose of this policy, business identifiable information (BII) consists of (a) information that is defined in the Freedom of Information Act (FOIA) as “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential.” (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. “Commercial” is not confined to records that reveal “basic commercial operations” but includes any records [or information] in which the submitter has a “commercial interest” and can include information submitted by a nonprofit entity.
Or (b) commercial or other information that, although it may not be exempt from release under FOIA, is exempt from disclosure by law (e.g., 13 U.S.C. 9)
A PIA statement is not required in the following circumstances:
- For government-run Web sites, IT systems, or collections of information that do not collect or maintain information in identifiable form about members of the general public, contractors, or consultants.
- For government-run public Web sites where the user is given the option of contacting the site operator for the limited purpose of asking questions or providing comments.
- For national security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology. (See section 202(i) of the E-Government Act.)
- When all elements of a PIA are addressed in a matching agreement governed by the computer matching provisions of the Privacy Act.
- When all elements of a PIA are addressed in an interagency agreement permitting the merging of data for strictly statistical purposes and where the resulting data are protected from improper disclosure and use under Title V of the E-Government Act.
- When operating units are developing IT systems or collecting non-identifiable information for a discrete purpose that does not involve matching with or retrieval from other databases that generate individual or business identifiable information.
- For minor changes to an IT system or collection that do not create new privacy risks.
Although the E-Government Act and OMB guidance do not require that PIAs be conducted for systems that collect data about businesses, Commerce policy requires PIAs for systems with business identifiable information.
The PIA statement is an analysis of how information is handled, including identification of IT risks and their resolution. The PIA statement must document the following elements:
- Identifying information, including the OMB Exhibit 300 identification number; IT security system identification number and name; OMB information collection control number; and name, e-mail address, and phone number of a contact person.
- Brief description of the system, its purpose, and the nature of the data that are to be protected.
- Event or reason the PIA was conducted (e.g., initial PIA; new data collection; change in ongoing data collection; or reuse of existing data).
- The law or regulation that authorizes the collection and maintenance of the information.
- What information is being collected, maintained, or disseminated (e.g., nature and source).
- Why the information is being collected, maintained, or disseminated (e.g., to determine eligibility).
- Intended use of the information (e.g., to verify existing data).
- With whom the information will be shared (e.g., another agency for a specified programmatic purpose).
- What opportunities individuals or businesses have to decline providing information in the case of voluntary collections.
- What opportunities individual or businesses have to consent to particular uses of the information and how they can grant consent.
- How the information will be secured (i.e., management, operational, administrative, and technological controls).
- How the system owner is complying with the requirement on page 7 in OMB Memorandum M-07-16 to “Log all computer-readable data extracts from databases holding sensitive information and verify each extract, including whether sensitive data has been erased within 90 days or its use is still required.” Compliance with this requirement may be manual or electronic.
- Whether the collection will result in the creation of a system of records within the meaning of the Privacy Act, and the number and name of the related Privacy Act System of Records Notice (SORN).
- Whether the electronic and paper records in the system are covered by a records control schedule approved by the National Archives and Records Administration (NARA), including the schedule and item number(s), or, if not covered, the date when a schedule will be submitted to NARA.
The depth and content of the PIA statement should be commensurate with the size of the information system being assessed, the sensitivity of the information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information. For example, PIA statements for major information systems will reflect more extensive analyses of the consequences of the collection and flow of information; the alternatives to collection and handling as designed; privacy risk mitigation measures for each alternative; and the rationale for the final design choice or business process.
The implementation of security controls in accordance with the DOC IT Security Program Policy provides information that is helpful in conducting the PIA and ensuring that the PIA statement comprehensively addresses all the elements described above.
What is the relationship between the PIA and requirements under the Paperwork Reduction Act (PRA) and the Privacy Act?
OMB reviews and clears information collections. Pursuant to the PRA, all new information collections subject to the PRA must be submitted to OMB. Operating units undertaking new information collections using electronic means for collecting, processing, or storing the information must conduct a PIA. The resulting PIA statement must be submitted through the Department to OMB along with the information collection request (ICR) unless it has been submitted to OMB as part of the business case development process. All elements required to be in the PIA statement must be addressed and identifiable in the context of the structure of the Paperwork Reduction Act Submission (OMB 83-I) for the ICR.
Operating units need not conduct a new PIA for simple renewal requests for information collections under the PRA, but must separately consider the need for a PIA when amending an ICR to collect information that is significantly different in character from the original collection.
Similarly, operating units may choose to conduct a PIA when developing a system of records (SOR) notice required under the Privacy Act, in that the PIA and SOR notice overlap in content, e.g., the categories of records in the system, the uses of the records, and the policies and practices for handling. Operating units must separately consider the need to conduct a PIA when issuing a change to the SOR notice. For example, a change in the type or category of record added to the system may warrant a PIA.
The PIA process is conducted to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form (i.e., records) in an electronic information system, and to identify and evaluate protections and alternative processes to mitigate the privacy impact of collecting information in identifiable form. As part of the PIA process, the system owner must evaluate whether the records in the system are being properly managed and disposed of in accordance with the Federal Records Act and records control schedules approved by the National Archives and Records Administration (NARA). Effective management of the records and the prompt disposal, in accordance with NARA-approved disposition schedules, of information in identifiable form will minimize the risks of unauthorized disclosure or premature disposal.
The PIA statement must clearly indicate the link between the privacy system or information collection covered by the PIA and the related major information system described in OMB Exhibit 300, “Capital Asset Plan and Business Case Summary.” The PIA should, if applicable, identify the Unique Project Identifier (UPI) of the Exhibit 300 business case to which it relates and whether it covers the complete system identified in the Exhibit 300 or only one of several subsystems or information collections that are part of the major system in the Exhibit 300. The Exhibit 300 must state whether there is an accompanying PIA statement.
If the privacy system cannot be linked to a UPI and Exhibit 300, the PIA should include another identifying number and/or an explanation why an Exhibit 300 is not applicable.
Each PIA statement must also identify the IT security system number and name to which the PIA applies. There may be multiple PIAs that link to the same security system, as in the case where applications containing different PII are hosted on the same general support system.
When an operating unit conducts a PIA, the operating unit must send the resulting PIA statement for review to the Director, Office of IT Policy and Planning (OITPP), who the Commerce CIO has delegated the authority to review, approve, and publish PIAs. OITPP staff will consult with the operating unit to resolve any concerns. When concerns are resolved, the Director, OITPP, will submit OMB-mandated PIA statements addressing personally identifiable information to OMB for review.
The E-Government Act and OMB implementing guidance require agencies to make their mandatory PIA statements addressing personally identifiable information available to the public. The PIA statement should not be made publicly available to the extent that publication would raise security concerns or reveal national security or other sensitive information. A summary of the PIA that omits this sensitive information should be prepared for public availability. Identifiable information should not be included in the PIA statement and cannot be the basis for not making the PIA statement publicly available.
PIA statements associated with budget proposals submitted to OMB or prepared for submission to OMB are pre-decisional, and are not to be made public unless and until OMB approves the budget proposal and includes it in the President’s Budget. PIA statements associated with information collection requests (ICRs) are not to be made public unless and until OMB approves the ICR.
Subject to the restrictions immediately above, at the completion of the Commerce and OMB PIA statement review process, the operating unit must publish the PIA statement or a summary of the PIA statement addressing personally identifiable information on its Web site. In the case of a PIA statement that is associated with a budget request in the President’s Budget, the PIA statement or a summary of the PIA statement addressing personally identifiable information should be made available promptly to the public upon the delivery of the President’s Budget to the Congress.
For Commerce-mandated PIAs that address business identifiable information and for other OMB-discretionary PIAs, the operating unit must send the completed PIA statement to the Director, OITPP, for review. These PIAs are conducted pursuant to Commerce policy; they are not sent to OMB. After review by the Director, OITPP, the operating unit is to make a decision, in consultation with the Director, OITPP, as to whether the PIA statement or a summary of it should be made publicly available on the operating unit’s Web site.
The Commerce IT Privacy Web site includes links to all the PIAs posted on the operating units’ Web sites.
For information on the provisions of this policy related to the E-Government Act or the Paperwork Reduction Act, contact Jennifer Jessup (JJessup@doc.gov) in the Office of the CIO, OITPP.
For information on provisions of the Privacy Act, contact Brenda Dolan (firstname.lastname@example.org), the Department’s Privacy Act Officer.
Date of policy superseded: July 30, 2004
Revision status: Revision 1
Approved by Suzanne Hilding, Chief Information Officer, 01/22/2009
- Questions regarding this section may be directed to the IT Privacy Administrator