COMDTINST 5260.4A
before developing or procuring an information system, or initiating a new collection of PII
that will be processed electronically.
7. CHANGES.
a. PIAs are required for both internal and external IT systems.
b. PIAs are required for new or updated Rulemaking proposals that impact PII. If an
organization decides to collect new information or update its existing collections as part of a
rulemaking, a PIA is required. The PIA should discuss how the management of these new
collections ensures conformity with privacy law. Even if a program has specific authority to
collect certain information or build a certain program, a PIA is required.
c. A PIA should be conducted for all systems, including those that are classified. For such
systems, the requirement to publish may be exempt and all proper redactions will be made
prior to any public release by DHS.
d. In some instances, an organization may choose to develop a "Negative PIA." A Negative PIA
documents why a full PIA is not necessary. For example, if the system does not collect PII, a
short negative PIA will demonstrate that a traditional PIA is not required. This is particularly
useful for major budget submissions, so that decisions made by the Privacy Office and the
component are memorialized for subsequent budget submissions.
e. Additional Questions:
(1) What specific legal authorities, arrangements, and/or agreements define the collection of
information?
(2) Has the retention schedule been approved by the National Archives and Records
Administration (NARA)? If so, what is the name of the Record Schedule?
(3) With which internal or external organization(s) is the information shared? For each
organization, what information is shared and for what purposes?
(4) How is the information transmitted or disclosed?
(5) Was notice provided to the individual prior to the collection of information? If yes, please
provide a copy of the notice.
(6) Will contractors to DHS have access to the system? If so, please submit a copy of the
contract describing their role to the Privacy Office with the PIA.
(7) Is the data secured in accordance with the Federal Information Security Management Act
(FISMA) requirements? If yes, when was Certification & Accreditation last completed?
(8) Were competing technologies evaluated to assess and compare their ability to effectively
achieve system goals?
3