DHS Privacy Policy Guidance Memorandum

Introduction

  • Date: December 30, 2008

  • Document Type: Privacy Policy Guidance Memorandum

  • Memorandum Number: 2008-02

  • Recipients: DHS Directorate and Component Leadership

  • Author: Hugo Teufel III, Chief Privacy Officer

  • Subject: DHS Policy Regarding Privacy Impact Assessments (PIAs)

I. Purpose

  • The memorandum outlines the policy defining the circumstances under which the Department of Homeland Security (DHS) Chief Privacy Officer will conduct PIAs.

II. Authority

  • The Chief Privacy Officer conducts PIAs based on four specific statutory authorities:

    1. E-Government Act of 2002, Section 208:

    • Requires PIAs for all information technology that utilizes, maintains, or disseminates personally identifiable information (PII).

    • Mandates PIAs for new collections of PII from ten or more individuals from the public.

    1. Congressional Mandate:

    • Congress requires PIAs for certain DHS programs and activities.

    1. Homeland Security Act of 2002, Section 222(a)(4):

    • Authorizes the Chief Privacy Officer to conduct PIAs on proposed rulemakings by DHS.

    1. Homeland Security Act of 2002, Section 222(a)(1):

    • Requires assurance that technologies at DHS enhance privacy protections rather than diminish them.

III. Privacy Policy

  • The Privacy Office conducts PIAs on a range of technologies, rulemakings, programs, and activities to ensure privacy considerations are integrated consistently across all DHS operations. This activity is mandated by:

    • Section 208 of the E-Government Act

    • Homeland Security Act

A. Policy Reasons for Conducting PIAs

  1. Informed Decision Making:

    • PIAs provide necessary information to senior leadership and program offices about the incorporation of privacy protections in new and existing programs.

    • Helps leadership evaluate potential privacy issues that need to be addressed.

  2. Life Cycle Management:

    • Ensures privacy protections are built into systems from the start of their development.

    • Helps identify security risks tied to new technologies, facilitating compliance with the Federal Information Security Management Act (FISMA).

  3. Transparency:

    • Promotes openness to the public and oversight bodies, improving trust in DHS operations.

    • Documents how privacy protections are integrated into DHS activities.

  4. Accountability:

    • Establishes a framework for institutions like the DHS Office of Inspector General and Congress to evaluate the DHS's privacy compliance, particularly regarding FISMA.

    • Involves reporting progress in conducting PIAs quarterly and annually to OMB.

  • The PIA process is aligned with the Fair Information Practice Principles (FIPPs) established under DHS policies, ensuring compliance with privacy handling mandates outlined in the Privacy Act of 1974.

IV. Implementation

  • The DHS Chief Privacy Officer is responsible for conducting PIAs across seven categories:

    1. Standard Information Technology PIAs:

    • Required prior to developing or procuring IT systems that handle PII.

    • Refers to OMB Memorandum 03-22, which details the requirements for PIA implementation.

    • The DHS Privacy Office provides guidance through periodic updates and specific PIA templates.

    • Requires a Privacy Threshold Analysis (PTA) for all IT systems involved in PII.

    1. Rulemaking PIAs:

    • Section 222(a)(4) mandates PIAs for proposed rulemakings affecting PII.

    • Provides opportunities for public involvement and scrutiny during the rulemaking process.

    1. Human Resource PIAs:

    • Although excluded under the E-Government Act, DHS conducts PIAs on systems related to employee information to maintain public trust.

    1. National Security System PIAs:

    • Classified and national security-related systems are assessed despite the E-Government Act's exclusions, ensuring privacy protections are implemented.

    1. Program PIAs:

    • Conducted when multiple IT systems are used for a singular program where PII concerns exist.

    • Helps in providing comprehensive privacy assessments when single systems overlap.

    1. Privacy-Sensitive Technology PIAs:

    • Conducted on technology that relates to PII, as warranted by Section 222(a)(1) of the Homeland Security Act.

    • Involves careful consideration of new technologies or those not previously utilized in DHS.

    1. Pilot Testing:

    • Requires assessment through PTA to see if PII is involved before pilot testing.

    • PIAs inform the design and implementation of privacy protections effectively throughout the program lifecycle.

Additional References

  1. E-Government Act of 2002: Public Law 107-347

  2. Homeland Security Act of 2002: 6 U.S.C. § 142

  3. Federal Information Security Management Act of 2002: 44 U.S.C. § 3541

  4. OMB Memorandum 03-22 provides additional guidance and definitions related to privacy in the context of government information systems.