FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 | 3 |

«U.S. Securities and Exchange Commission Office of Information Technology Alexandria, VA PRIVACY IMPACT ASSESSMENT (PIA) GUIDE Revised January 2007 ...»

-- [ Page 1 ] --

U.S. Securities and Exchange Commission

Office of Information Technology

Alexandria, VA



Revised January 2007

Privacy Office

Office of Information Technology



The E-Government Act of 2002, Section 208, establishes the requirement for agencies to conduct

privacy impact assessments (PIAs) for electronic information systems and collections 1. The assessment is a practical method of evaluating privacy in information systems and collections, and documented assurance that privacy issues have been identified and adequately addressed.

The process is designed to guide SEC system owners and developers in assessing privacy during the early stages of development and throughout the System Development Life Cycle (SDLC), to determine how their project will affect the privacy of individuals and whether the project objectives can be met while also protecting privacy.

This guide provides a framework for conducting privacy impact assessments and a methodology for assessing how personally identifiable information is to be managed in information systems within the SEC.

PIA Overview Conducting a PIA ensures compliance with laws and regulations governing privacy and demonstrates the SEC’s commitment to protect the privacy of any personal information we collect, store, retrieve, use and share. It is a comprehensive analysis of how the SEC’s electronic information systems and collections handle personally identifiable information (PII). The objective of the PIA is to systematically identify the risks and potential effects of collecting, maintaining, and disseminating PII and to examine and evaluate alternative processes for handling information to mitigate potential privacy risks.

Personally Identifiable Information (PII) PII is information in an IT system or online collection that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) In addition, PII may be comprised of information by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. These data elements may also include gender, race, birth date, geographic indicator and other descriptors.

PII should not be confused with “private” information. Private information is information that an individual prefers not to make publicly known, e.g., because of the information’s sensitive nature. Personally identifiable information is much broader in scope and includes all information that can be used to directly or indirectly identify individuals. PIAs require analysis of broader PII issues, not just the narrower “private” aspects.

See OMB Memorandum (M-03-22) Guidance for Implementing the Privacy Provisions of The E-Government Act of 2002.

–  –  –

PIA Requirements

A PIA should be completed when any of the following activities occur:

1. Developing, or procuring any new technologies or systems that handle or collect personal information.

- A PIA is required for all Exhibit 300 submissions, which serve as budget justification and reporting requirements for major information technology investments. 2 The PIA should show that privacy was considered from the beginning stage of system development. If a program is beginning with a pilot, a PIA is required prior to the commencement of the pilot test.

2. Developing system revisions.

- If an existing system is modified, a PIA may be required. (See Appendix A for activities that may trigger the need for a PIA)

3. Initiating a new electronic collection of information in identifiable form for 10 or more persons, consistent with the Paperwork Reduction Act (PRA).

- This requirement includes any representation of information that permits the identity of an individual to be reasonably inferred by either direct or indirect means. For additional information, contact the SEC’s PRA liaison located in the Office of Information Technology, Information Resources Management Branch.

4. Issuing a new or updated rulemaking that affects personal information.

- A PIA is required for collections of new information or update to existing collections as part of a rulemaking. The PIA should discuss how the management of these new collections ensures conformity with privacy laws. Even if a program has specific authority to collect certain information, a PIA is required.

5. Categorizing System Security Controls as “High-Major” or “Moderate-Major”.

- The Privacy Analysis Worksheet (PAW), Appendix B, is required for all systems that are categorized as “High-Major” or “Moderate-Major”, even if the system does not handle or collect personal information. The PAW serves as justification that privacy was assessed for this “Major” system. (Contact OIT Security at COPS@sec.gov for assistance.)

A PIA is NOT required in the following instances:

1. For government-run Web sites, IT systems, or collections of information that do not collect or maintain information in identifiable form about members of the general public, government employees, contractors, or consultants.

2. For government-run public Web sites where the user is given the option of contacting the site operator for the limited purpose of asking questions or providing comments.

3. For national security systems

4. When all elements of a PIA are addressed in a data matching or comparison agreement governed by the computer matching provisions of the Privacy Act.

See OMB Circular No. A-11, Part 7, Section 300

–  –  –

PIA Requirements Related to Privacy Act Systems of Records Notice (SORN) The Privacy Act requires agencies to publish a System of Records Notice (SORN) in the Federal Register that describes the categories of personally identifiable information collected, maintained and used in an automated system. In order for the system to fall under the requirements of a Privacy Act system of records, personal information must be collected on an individual AND retrieved by the individual’s name or unique identifier, e.g., SS#. If personal information is collected but never retrieved by the unique identifier, it is not a system of records and a SORN is not required for the system.

Under the statute, any officer or employee who knowingly and willfully maintains a system of records without meeting the Privacy Act notice requirements (5 U.S.C. 552a(e)(4)) is guilty of a misdemeanor and may be fined up to $5000.

The PIA The PIA is an analysis of how personally identifiable information is collected, stored, protected, shared and managed. It identifies and assesses privacy implications in automated information systems. The system owner initiates the process by completing the Privacy Analysis Worksheet 3.

The responses on this worksheet will determine whether the proposed project meets the criteria requiring a full PIA. If required, the system owner conducts the PIA using the PIA Template 4 and the accompanying PIA Writing Guide 5. The system owner responds to privacy-related

questions regarding:

Data in the system (e.g., what data is collected and why) Attributes of the data (e.g., use and accuracy) Sharing practices Notice to Individuals to Consent/Decline Use (e.g., SORN) Access to data (i.e., Administrative and Technological Controls) See Appendix B See Appendix C See Appendix D

–  –  –

The depth and content of the PIA should be appropriate for the nature of the information to be collected, and the size and complexity of the system. For example, PIAs for major information systems should reflect an extensive analysis of the consequences of collection and flow of information, alternatives to the collection and handling of PII, appropriate measures to mitigate risks and the rationale for the final design choice or business process.

Steps for Completing a PIA

–  –  –

The Privacy Analysis Worksheet (PAW) is completed to determine whether a full Privacy Impact Assessment (PIA) and/ or a System of Records Notice (SORN) are required for your project.

This worksheet is to be completed by the project manager and system owner. Complete Section A below, sign and send the form to the Privacy Office. Upon receipt, the Privacy Office will review the form and may request additional information.

SECTION A Summary Information

1. Name of project or system:

Please enter the project or system name here.

2. Description of project or system and its purpose:

Please provide a general description of the project or system, and its purpose using a non-technical description, if statutory, provide citation.

3. Contact Name, Title, Telephone Number and Organization:

Please provide information here.

Specific Questions

1. Does this project or system collect, maintain, retrieve or share personal information that can be used to directly or indirectly identify an individual?

NO. A PIA is not required for this project. Skip to Signature Page.

YES. A PIA is required for this project.

Please provide a specific description of the information that might be collected or maintained.

2. Does this project or system retrieve information using a personal identifier?

NO. A Privacy Act SORN is not required for this project. Skip to Signature Page.

YES. A Privacy Act SORN is required for this project.

Please provide a description of the data fields that might be used to retrieve the information.

Is there an existing Privacy Act System of Records Notice (SORN)?

NO. Contact privacyhelp@sec.gov for assistance.

YES. The existing SORN may need to be modified to reflect changes.

Please provide the system notice number.

–  –  –

Signature of Individual(s) completing this form _______________________________ ________________________________

System Owner/Date Project Manager/Date SECTION B Endorsement _______________________________ ________________________________

Chief Privacy Officer/Date Chief Information Security Officer/Date Approval _______________________________

Chief Information Officer/Date

–  –  –

Refer to the PIA Writing Guide (Appendix D) for guidance in responding to the questions below.

If not applicable, respond N/A.


Project Manager/ System Owner(s) Name Title Organization Telephone Number GENERAL INFORMATION - Project/System Information

1. Name of Project or System.

2. Description of Project or System.

3. What is the purpose of the Project or System?

4. Requested Operational Date?

5. System of Records Notice (SORN) number?

6. Is this an Exhibit 300 project or system?

7. What specific legal authorities, arrangements, and/or agreements require the collection of this information?

SECTION I - Data in the System

1. What data is to be collected?

2. What are the sources of the data?

3. Why is the data being collected?

4. What technologies will be used to collect the data?

5. Does a personal identifier retrieve the data?

SECTION II - Attributes of the Data (use and accuracy)

1. Describe the uses of the data.

2. Does the system analyze data to assist users in identifying previously unknown areas of note, concern or pattern?

3. How will the data collected from individuals or derived by the system be checked for accuracy?

SECTION III - Sharing Practices

1. Will the data be shared with any internal or external organizations?

2. How is the data transmitted or disclosed to the internal or external organization?

3. How is the shared data secured by external recipients?

SECTION IV - Notice to Individuals to Decline/Consent Use

1. Was notice provided to the different individuals prior to collection of data?

2. Do individuals have the opportunity and/or right to decline to provide data?

3. Do individuals have the right to consent to particular uses of the data?

Revised 2007 Appendix C PIA Template SECTION V - Access to Data (administrative and technological controls)

1. Has the retention schedule been established by the Records Officer? If so, what is the retention period for the data in the system?

2. What are the procedures for identification and disposition of the data at the end of the retention period?

3. Describe the privacy training provided to users, either generally or specifically relevant to the program or system?

4. Will SEC contractors have access to the system?

5. Is the data secured in accordance with FISMA requirements?

- If NO, answer questions 6-9 below.

- If YES, provide date that the Certification & Accreditation was completed.

6. Which user group(s) will have access to the system?

7. How is access to the data by a user determined? Are procedures documented?

8. How are the actual assignments of roles and rules verified according to established security and auditing procedures?

9. What auditing measures/controls and technical safeguards are in place to prevent misuse (e.g., unauthorized browsing) of data?

SECTION VI - Privacy Analysis Given the amount and type of data being collected, discuss what privacy risks were identified and how they were mitigated.

Signature of Individual(s) completing this form

–  –  –

Endorsement _______________________________ ________________________________

Chief Privacy Officer/Date Chief Information Security Officer/Date Approval _______________________________

Chief Information Officer/Date

–  –  –

Pages:   || 2 | 3 |

Similar works:

«The Last Two Years: A Summary of 2014-2015 Office of Prescription Drug Promotion (OPDP) Enforcement and Relevant FDA Guidance Jennifer A. Romanski, J.D. Vice President and Chief Privacy Officer Kim Kim C. Capone Senior Regulatory Analyst March 1, 2016 The Last Two Years: A Summary of 2014-2015 Office of Prescription Drug Promotion (OPDP) Enforcement and Relevant FDA Guidance The past two years have created a bit of uncertainty for life sciences promotional review professionals. With fewer...»

«Updated: March 27, 2015 Education Bills Defeated 2015 Legislative Session Listed numerically by House bills and then by Senate bills.HOUSE BILLS HB2079 local bonding; property tax measure (sponsor: Rep. Petersen) Makes bonds more difficult to pass by requiring the ballot language for bond authorization to describe the bond measure by using the words “property tax measure.” (Current law already requires the phrase “the issuance of these bonds will result in a property tax increase...»

«KATJA KANZLER “To Sue and Make Noise”: Legal Theatricality and Civic Didacticism in Boston Legal [A client asks to be represented in suing the U.S. government for inactivity in the face of genocide in Darfur] Lawyer Lori Colson: “I have a crazy idea. [.] In tort law, you see a guy lying on the side of the street, you have no obligation to pull over and help. But if you do pull over, you incur a duty to complete that rescue, the theory being other would-be rescuers pass by thinking help is...»

«FINAL PROSPECTUS OF EKKLESIA MUTUAL FUND, INC. c/o 17/F, BPI Head Office Building, Ayala Avenue corner Paseo de Roxas, Makati City 1200 Tel No. (02) 816-9845 (An open-end investment company organized under Philippine Laws) An Offer of up to 245,000,000 Common Shares of par value PHP1.00 each at a price of Net Asset Value per Share Securities will be traded over the counter through SEC accredited mutual fund sales agents BPI Investment Management, Inc. Fund Manager 17F BPI Head Office Bldg.,...»

«The Headscarf Affair: The Conseil d’État on the Role of Religion and Culture in French Society ELISA T. BELLER† SUMMARY I. INTRODUCTION II. THE REPUBLICAN CITIZEN IN FRANCE III. THE CONSEIL D’ÉTAT AND THE FRENCH LEGAL SYSTEM IV. THE CONSEIL D’ÉTAT RULES ON THE HEADSCARF CASE I. INTRODUCTION On February 10, 2004, the French National Assembly voted 494 to 36 to pass legislation that would ban the wearing of an Islamic headscarf, or any other conspicuous religious symbol, within French...»

«CERTAIN CONSIDERATIONS ON INSTITUTION OF ADMINISTRATIVE CLAIMS AND THE IMPLEMENTATION THEREOF Gnel Mughnetsyan1 With the adoption of the Administrative Procedure Code2 of the Republic of Armenia, the mechanism for the implementation of administrative justice was implemented in the legal system of the Republic of Armenia, aiming at subjecting the administrative and procedural process to legal regulation. The frame of the subjects entitled to apply to the Administrative Court of the Republic of...»

«FILED Pursuant to Ind. Appellate Rule 65(D), this Memorandum Decision shall not be Oct 03 2008, 8:58 am regarded as precedent or cited before any court except for the purpose of establishing CLERK the defense of res judicata, collateral of the supreme court, estoppel, or the law of the case. court of appeals and tax court ATTORNEY FOR APPELLANT: ATTORNEYS FOR APPELLEE: MATTHEW JON MCGOVERN STEVE CARTER Evansville, Indiana Attorney General of Indiana JOBY D. JERRELLS Deputy Attorney General...»

«THE MISBEGOTTEN JUDICIAL RESISTANCE TO THE DAUBERT REVOLUTION David E. Bernstein* INTRODUCTION Until approximately thirty years ago, expert witnesses hired by parties to litigation in the United States could testify almost without limit about any relevant issue within the scope of their expertise.1 Beginning in the mid1980s, federal law rapidly and radically evolved until by 2000 all expert testimony needed to pass a reliability test before it could be deemed admissible.2 Much of this evolution...»

«This background paper has not been formally edited. The views expressed therein, the designations employed as well as the presentation of material in this publication do not imply the expressions of any opinion whatsoever on the part of the Secretariat of the United Nations Industrial Development Organization concerning the legal status of any country, territory, city or area or of its authorities, or concerning the delimitation of its frontiers or boundaries. Designations such as...»

«WAKO Low-Kick Rules WAKO Rules Ring sports Low Kick Table of Contents ART. 1. DEFINITION ART. 2. LEGAL TARGET AREAS ART. 2.1 TARGET AREAS, PROHIBITED TECHNIQUES AND BEHAVIOUR ART. 2.2 LEGAL TECHNIQUES Art. 2.2.1 Hand Techniques Art. 2.2.2 Foot Techniques Art. 2.2.3 Throwing Techniques: Art. 2.2.4 Number of Kicks per Round ART. 3. DECISIONS ART. 4. CHANGING A DECISION ART. 5. AWARDING OF POINTS ART. 5.1 DIRECTIVE 1 CONCERNING BLOWS ART. 5.2 DIRECTIVE 2 CONCERNING OFFENCES ART. 5.3 DIRECTIVE 3...»

«PROSPECTUS ALFM Euro Bond Fund 17/F, BPI Head Office Building, Ayala Avenue corner Paseo de Roxas, Makati City 1226 Tel No. (02) 845-5424 (An Open-end investment company organized under Philippine Laws) An Offer of up to the Number of Authorized Shares of ALFM Euro Bond Fund at an Offer Price of Net Asset Value per Share on the date of subscription ALFM EURO BOND FUND Number of Authorized Shares 80,000 Minimum Initial Investment EUR 500.00 PAR value PhP 10,000.00 Securities will be traded over...»

«CRITIQUE AND COMMENT THE CRIMINAL LAW — A ‘MILDLY VITUPERATIVE’ CRITIQUE JUSTICE MARK WEINBERG* [Criminal law in Victoria is currently plagued by delay, long trials and a high rate of successful appeals. One factor common to these problems is the extraordinary complexity that now attends most aspects of the criminal law, as illustrated by the law in relation to statutory self-defence, the mental state for rape, and jury directions. This complexity can largely be attributed to poorly...»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.