COMDTINST 5260.4A
information (PII) and data only as authorized by law and as necessary to carry out its mission.
Requiring PIAs is intended to make systems development a multidisciplinary effort, involving
systems owners, IT specialists, security, and privacy experts. The primary purpose of a PIA is to
allow the organization building or operating a system that collects, maintains, and disseminates
PII to determine whether it is in compliance with relevant data protection legislation at any
particular stage. DHS published "Privacy Impact Assessments - Official Guidance," (enclosure
(1)), to guide system owners and developers in assessing privacy concerns during the early
stages of systems development or major modifications. This guide shall be followed to
determine if a PIA is required for your system(s). If required, respond to the questions in
accordance with enclosure (1) of this Instruction. Additionally, provide the contact information
by completing enclosure (2). Send enclosures (1) and (2) to Commandant (CG-611). Following
approval, DHS will submit for publication in the Federal Register. The PIA Process Flow Chart
(enclosure 3), is provided for information purposes.
5. BACKGROUND. The Office of Management and Budget (OMB) guidance to agencies on
implementing the privacy provisions of Section 208 of the E-Government Act of 2002 (Public
Law 107-347, 44 U.S.C. Ch 36) includes a requirement for PIAs. In addition to existing policies
contained in reference (a), agencies are required to conduct PIAs for electronic information
systems or projects that collect, maintain, or disseminate information in identifiable form from or
about members of the public. Significantly altered IT systems are subject to assessment as well.
Agencies must make these assessments publicly available. Failure to complete a PIA could
possibly jeopardize funding by OMB. With the increased volume of data collected from public
citizens, there is an expectation that privacy data be maintained in a secure manner.
6. OTHER RELATED LEGISLATION.
a. The Privacy Act of 1974, as Amended (5 U.S.C. 552a) affords individuals the right to privacy
in records that are maintained and used by Federal agencies. The Act includes the Computer
Matching and Privacy Protection Act of 1998 (Public Law 100-503).
b. Freedom of Information Act of 1966 as Amended (5 U.S.C. 552) establishes a presumption
that records in the possession of agencies and departments of the Executive Branch of the
United States Government are accessible to the people.
c. Reference (b), Homeland Security Act of 2002 (H.R. 5005 Section Subtitle C-Information
Security), http://www.whitehouse.gov/deptofhomeland/hr_5005_enr.pdf, establishes that a
PIA of proposed rules on the privacy of personal information, including the type of PII
collected and the number of people affected must be completed. An annual report to
Congress is prepared on the activities that affect privacy, including complaints of privacy
violations, implementation of the Privacy Act of 1974, internal controls, and other matters.
d. Reference (c), E-gov Act of 2002, Section 208, (Public Law 107-347, 44 U.S.C. Ch 36),
implementing the privacy provisions. This guidance directs agencies to conduct assessments
2
Previous Page
