Pt. 806b, App. E
Appendix E to Part 806b—Privacy Impact Assessment
Section A—Introduction and Overview
The Privacy Act Assessment. The Air Force recognizes the importance of protecting the privacy of individuals, to ensure sufficient protections for the privacy of personal information as we implement citizen-centered e-Government. Privacy issues must be addressed when systems are being developed, and privacy protections must be integrated into the development life cycle of these automated systems. The vehicle for addressing privacy issues in a system under development is the Privacy Impact Assessment. The Privacy Impact Assessment process also provides a means to assure compliance with applicable laws and regulations governing individual privacy.
(a) Purpose. The purpose of this document is to:
(1) Establish the requirements for addressing privacy during the systems development process.
(2) Describe the steps required to complete a Privacy Impact Assessment.
(3) Define the privacy issues you will address in the Privacy Impact Assessment.
(b) Background. The Air Force is responsible for ensuring the privacy, confidentiality, integrity, and availability of personal information. The Air Force recognizes that privacy protection is both a personal and fundamental right. Among the most basic of individuals' rights is an expectation that the Air Force will protect the confidentiality of personal, financial, and employment information. Individuals also have the right to expect that the Air Force will collect, maintain, use, and disseminate identifiable personal information and data only as authorized by law and as necessary to carry out agency responsibilities. Personal information is protected by the following:
(1) Title 5, U.S.C. 552a, The Privacy Act of 1974, as amended, which affords individuals the right to privacy in records maintained and used by Federal agencies. Note:
5 U.S.C. 552a includes Public Law 100-503, The Computer Matching and Privacy Act of 1988. 13
(2) Public Law 100-235, The Computer Security Act of 1987, 14 which establishes minimum security practices for Federal computer systems.
(3) OMB Circular A-130, Management of Federal Information Resources, 15 which provides instructions to Federal agencies on how to comply with the fair information practices and security requirements for operating automated information systems.
(4) Public Law 107-347, Section 208, E-Gov Act of 2002, which aims to ensure privacy in the conduct of federal information activities.
(5) Title 5, U.S.C. 552, The Freedom of Information Act, as amended, which provides for the disclosure of information maintained by Federal agencies to the public while allowing limited protections for privacy.
(6) DoD Directive 5400.11, Department of Defense Privacy Program, 16 December 13, 1999.
(7) DoD 5400.11-R, Department of Defense Privacy Program, 17 August 1983.
(8) Air Force Instruction 33-332, Air Force Privacy Act Program.
(c) The Air Force Privacy Office is in the Office of the Air Force Chief Information Officer, Directorate of Plans and Policy, and is responsible for overseeing Air Force implementation of the Privacy Act.
Section B—Privacy and Systems Development
System Privacy. Rapid advancements in computer technology make it possible to store and retrieve vast amounts of data of all kinds quickly and efficiently. These advancements have raised concerns about the impact of large computerized information systems on the privacy of data subjects. Public concerns about highly integrated information systems operated by the government make it imperative to commit to a positive and aggressive approach to protecting individual privacy. Air Force Chief Information Officer is requiring the use of this Privacy Impact Assessment in order to ensure that the systems the Air Force develops protect individuals' privacy. The Privacy Impact Assessment incorporates privacy into the development life cycle so that all system development initiatives can appropriately consider privacy issues from the earliest stages of design.
(a) What is a Privacy Impact Assessment? The Privacy Impact Assessment is a process used to evaluate privacy in information systems. The process is designed to guide system owners and developers in assessing privacy through the early stages of development. The process consists of privacy training, gathering data from a project on privacy issues, and identifying and resolving the privacy risks. The Privacy Impact Assessment process is described in detail in Section C, Completing a Privacy Impact Assessment.
(b) When is a Privacy Impact Assessment Done? The Privacy Impact Assessment is initiated in the early stages of the development of a system and completed as part of the required system life cycle reviews. Privacy must be considered when requirements are being analyzed and decisions are being made about data usage and system design. This applies to all of the development methodologies and system life cycles used in the Air Force.
(c) Who completes the Privacy Impact Assessment? Both the system owner and system developers must work together to complete the Privacy Impact Assessment. System owners must address what data is to be used, how the data is to be used, and who will use the data. The system developers must address whether the implementation of the owner's requirements presents any threats to privacy.
(d) What systems have to complete a Privacy Impact Assessment? Accomplish Privacy Impact Assessments when:
(1) Developing or procuring information technology that collects, maintains, or disseminates information in identifiable form from or about members of the public.
(2) Initiating a new collection of information, using information technology, that collects, maintains, or disseminates information in identifiable form for 10 or more persons excluding agencies, instrumentalities, or employees of the Federal Government.
(3) Systems as described above that are undergoing major modifications.
(e) The Air Force or Major Command Privacy Act Officer reserves the right to request that a Privacy Impact Assessment be completed on any system that may have privacy risks.
Section C—Completing a Privacy Impact Assessment
The Privacy Impact Assessment. This section describes the steps required to complete a Privacy Impact Assessment. These steps are summarized in Table A4.1, Outline of Steps for Completing a Privacy Impact Assessment.
Training. Training on the Privacy Impact Assessment will be available, on request, from the Major Command Privacy Act Officer. The training consists of describing the Privacy Impact Assessment process and provides detail about the privacy issues and privacy questions to be answered to complete the Privacy Impact Assessment. Major Command Privacy Act Officers may use appendix E, Sections A, B, D, and E for this purpose. The intended audience is the personnel responsible for writing the Privacy Impact Assessment document.
The Privacy Impact Assessment Document. Preparing the Privacy Impact Assessment document requires the system owner and developer to answer the privacy questions in Section E. A brief explanation should be written for each question. Issues that do not apply to a system should be noted as “Not Applicable.” During the development of the Privacy Impact Assessment document, the Major Command Privacy Act Officer will be available to answer questions related to the Privacy Impact Assessment process and other concerns that may arise with respect to privacy.
Review of the Privacy Impact Assessment Document. Submit the completed Privacy Impact Assessment document to the Major Command Privacy Act Office for review. The purpose of the review is to identify privacy risks in the system.
Approval of the Privacy Impact Assessment. The system life cycle review process (Command, Control, Communications, Computers, and Intelligence Support Plan) will be used to validate the incorporation of the design requirements to resolve the privacy risks. Major Command and Headquarters Air Force Functional CIOs will issue final approval of the Privacy Impact Assessment.
Table A4.1—Outline of Steps for Completing a Privacy Impact Assessment
||System Owner, and Developer
||Request and complete Privacy Impact Assessment Training.
||System Owner, and Developer
||Answer the questions in Section E, Privacy Questions. For assistance contact your Major Command Privacy Act Officer.
||System Owner, and Developer
||Submit the Privacy Impact Assessment document to the Major Command Privacy Act Officer.
||Major Command Privacy Act Officer
||Review the Privacy Impact Assessment document to identify privacy risks from the information provided. The Major Command Privacy Act Officer will get clarification from the owner and developer as needed.
||System Owner and Developer, Major Command Privacy Act Officer
||The System Owner, Developer and the Major Command Privacy Act Officer should reach agreement on design requirements to resolve all identified risks.
||System Owner, Developer, and Major Command Privacy Act Officer
||Participate in the required system life cycle reviews to ensure satisfactory resolution of identified privacy risks to obtain formal approval from the Major Command or Headquarters Air Force Functional CIO.
||Major Command or Headquarters Air Force Functional CIO
||Issue final approval of Privacy Impact Assessment, and send a copy to Air Force Chief Information Officer/P.
||Air Force Chief Information Officer/P
||When feasible, publish Privacy Impact Assessment on Freedom of Information Act Web page (http://www.foia.af.mil).
Section D—Privacy Issues in Information Systems
Privacy Act of 1974,
5 U.S.C. 552a
Title 5, U.S.C., 552a, The Privacy Act of 1974, as amended, requires Federal Agencies to protect personally identifiable information. It states specifically:
Each agency that maintains a system of records shall:
Maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President;
Collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs;
Maintain all records used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination;
Establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.
Accuracy—within sufficient tolerance for error to assure the quality of the record in terms of its use in making a determination.
Completeness—all elements necessary for making a determination are present before such determination is made.
Determination—any decision affecting an individual which, in whole or in part, is based on information contained in the record and which is made by any person or agency.
Necessary—a threshold of need for an element of information greater than mere relevance and utility.
Record—any item, collection or grouping of information about an individual and identifiable to that individual that is maintained by an agency.
Relevance—limitation to only those elements of information that clearly bear on the determination(s) for which the records are intended.
Routine Use—with respect to the disclosure of a record, the use of such record outside DoD for a purpose that is compatible with the purpose for which it was collected.
System of Records—a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
Timeliness—sufficiently current to ensure that any determination based on the record will be accurate and fair.
Information and Privacy
To fulfill the commitment of the Air Force to protect personal information, several issues must be addressed with respect to privacy.
The use of information must be controlled.
Information may be used only for a necessary and lawful purpose.
Individuals must be informed in writing of the principal purpose and routine uses of the information being collected from them.
Information collected for a particular purpose should not be used for another purpose without the data subject's consent unless such other uses are specifically authorized or mandated by law.
Any information used must be sufficiently accurate, relevant, timely and complete to assure fair treatment of the individual.
Given the availability of vast amounts of stored information and the expanded capabilities of information systems to process the information, it is foreseeable that there will be increased requests to share that information. With the potential expanded uses of data in automated systems it is important to remember that information can only be used for the purpose for which it was collected unless other uses are specifically authorized or mandated by law. If the data is to be used for other purposes, then the public must be provided notice of those other uses. These procedures do not in themselves create any legal rights, but are intended to express the full and sincere commitment of the Air Force to protect individual privacy rights and which provide redress for violations of those rights.
Data in the System
The sources of the information in the system are an important privacy consideration if the data is gathered from other than Air Force records. Information collected from non-Air Force sources should be verified, to the extent practicable, for accuracy, that the information is current, and complete. This is especially important if the information will be used to make determinations about individuals.
Access to the Data
Who has access to the data in a system must be defined and documented. Users of the data can be individuals, other systems, and other agencies. Individuals who have access to the data can be system users, system administrators, system owners, managers, and developers. When individuals are granted access to a system, their access should be limited, where possible, to only that data needed to perform their assigned duties. If individuals are granted access to all of the data in a system, procedures need to be in place to deter and detect browsing and unauthorized access. Other systems are any programs or projects that interface with the system and have access to the data. Other agencies can be International, Federal, state, or local entities that have access to Air Force data.
Attributes of the Data
When requirements for the data to be used in the system are being determined, those requirements must include the privacy attributes of the data. The privacy attributes are derived from the legal requirements imposed by The Privacy Act of 1974. First, the data must be relevant and necessary to accomplish the purpose of the system. Second, the data must be complete, accurate, and timely. It is important to ensure the data has these privacy attributes in order to assure fairness to the individual in making decisions based on the data.
Maintenance of Administrative Controls
Automation of systems can lead to the consolidation of processes, data, and the controls in place to protect the data. When administrative controls are consolidated, they should be evaluated so that all necessary controls remain in place to the degree necessary to continue to control access to and use of the data. Document record retention and disposal procedures and coordinate them with the Major Command Records Manager.
Section E—Privacy Questions
Data in the System
1. Generally describe the information to be used in System the system.
2. What are the sources of the information in the system?
a. What Air Force files and databases are used?
b. What Federal Agencies are providing data for use in the system?
c. What State and local agencies are providing data for use in the system?
d. What other third party sources will data be collected from?
e. What information will be collected from the employee?
3. Is data accurate and complete?
a. How will data collected from sources other than Air Force records and the subject be verified for accuracy?
b. How will data be checked for completeness?
c. Is the data current? How do you know?
4. Are the data elements described in detail and documented? If yes, what is the name of the document?
Access to the Data
1. Who will have access to the data in the system Data (Users, Managers, System Administrators, Developers, Other)?
2. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?
3. Will users have access to all data on the system or will the user's access be restricted? Explain.
4. What controls are in place to prevent the misuse (e.g., browsing) of data by those having access?
5. Does the system share data with another system?
a. Do other systems share data or have access to data in this system? If yes, explain.
b. Who will be responsible for protecting the privacy rights of the employees affected by the interface?
6. Will other agencies have access to the data in the system?
a. Will other agencies share data or have access to data in this system (International, Federal, State, Local, Other)?
b. How will the data be used by the agency?
c. Who is responsible for assuring proper use of the data?
d. How will the system ensure that agencies only get the information they are entitled to under applicable laws?
Attributes of the Data
1. Is the use of the data both relevant and necessary Data to the purpose for which the system is being designed?
2. Will the system create new data about an individual?
a. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
b. Will the new data be placed in the individual's record?
c. Can the system make determinations about the record subject that would not be possible without the new data?
d. How will the new data be verified for relevance and accuracy?
3. Is data being consolidated?
a. If data is being consolidated, what controls are in place to protect the data from unauthorized access or use?
b. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
4. How will the data be retrieved? Is it retrieved by a personal identifier? If yes, explain.
Maintenance of Administrative Controls
(1) a. Explain how the system and its use will ensure Administrative equitable treatment of record subjects.
b. If the system is operated at more than one location, how will consistent use of the system and data be maintained?
c. Explain any possibility of disparate treatment of individuals or groups.
(2) a. Coordinate proposed maintenance and disposition of the records with the Major Command Records Manager.
b. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
(3) a. Is the system using technologies in ways that the Air Force has not previously employed?
b. How does the use of this technology affect personal privacy?
(4) a. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
b. Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain.
c. What controls will be used to prevent unauthorized monitoring?
(5) a. Under which Systems of Record notice does the system operate? Provide number and name.
b. If the system is being modified, will the system of record require amendment or revision? Explain.