32 CFR 701.118 - Privacy, IT, and PIAs.
(a) Development. Privacy must be considered when requirements are being analyzed and decisions are being made about data usage and storage design. This applies to all of the development methodologies and system life cycles used in the DON.
(b) E-Government Act of 2002. The E-Government Act of 2002 (Pub. L. 107-347) directs agencies to conduct reviews of how privacy issues are considered when purchasing or creating new IT systems or when initiating new electronic collections of IIF. See DOD Memo of 28 Oct 05, subject “DOD PIA Guidance” regarding DOD PIA Guidance.
(c) Purpose. To ensure IIF is only acquired and maintained when necessary and the supporting IT that is being developed and used protects and preserves the privacy of the American public and to provide a means to assure compliance with applicable laws and regulations governing employee privacy. A PIA should be prepared before developing or procuring a general support system or major application that collects, maintains, or disseminates IIF from or about DON civilian or military personnel.
(d) Scope. The PIA incorporates privacy into the development life cycle so that all system development initiatives can appropriately consider privacy issues from the earliest stages of design. During the early stages of the development of a system, both the system owner and system developer shall work together to identify, evaluate, and resolve any privacy risks. Accordingly,
(1) System owners must address what data is to be used, how the data is to be used, and who will use the data.
(2) System developers must address whether the implementation of the owner's requirements presents any threats to privacy.
(e) Requirements. Before developing, modifying or establishing an automated system of records that collects, maintains, and/or disseminates IIF, DON activities shall conduct a PIA to effectively address privacy factors. Guidance is provided at http://www.doncio.navy.mil.
(f) Coverage. E-Government Act of 2002 (Pub. L. 107-347) mandates the preparation of a PIA either before developing or procuring IT systems that collect, maintain, or disseminate IIF from or about members of the public or initiating a new electronic collection of IIF for 10 or more persons of the public. (Note: The public DOES NOT include DON civilian or military personnel, but DOES cover family members of such personnel, retirees and their family members, and DON contractors.) A PIA should be prepared before developing, modifying, or procuring IT systems that collect, maintain, or disseminate IIF from or about members of the public or initiating a new electronic collection of IIF for 10 or more members of the public. A PIA shall also be prepared before developing, modifying or procuring a general support system or major application that collects, maintains, or disseminates IIF from or about DON civilian and military personnel.
(g) PIA not required.
(1) Legacy systems do not require completion of a PIA. However, DON CIO may request a PIA if the automation or upgrading of these systems puts the data at risk.
(2) Current operational systems do not require completion of a PIA. However, if privacy is a concern for a system the DON CIO can request that a PIA be completed. If a potential problem is identified concerning a currently operational system, the DON will use all reasonable efforts to remedy the problem.