Enclosure (1) to COMDTINST 5260.4A
Introduction
Privacy Impact Assessments ("PIAs") are required by Section 208 of the E-Government Act
for all Federal government agencies that develop or procure new technology involving the
collection, maintenance or dissemination of personally identifiable information or that make
substantial changes to existing technology for managing information in identifiable form. The
Office of Management and Budget ensures that PIAs necessitated under the E-Government
Act are completed by requiring them as part of the annual budget process.
The Chief Privacy Officer of the Department of Homeland Security is required by Section 222 of
the Homeland Security Act to assure that the technology used by the Department sustains
privacy protections. The PIA for new technology, systems, and programs is the mechanism by
which the Chief Privacy Officer conducts this assessment. In addition, the Chief Privacy Officer
is required to conduct PIAs for proposed rulemakings of the Department. The Chief Privacy
Officer approves PIAs conducted by DHS offices and programs.
In 2004, the DHS Privacy Office issued "Privacy Impact Assessments Made Simple." This
amended guidance supersedes "PIAs Made Simple," and reflects the requirements of both
Section 208 of the E-Government Act of 2002 and Section 222 of the Homeland Security Act of
2002. The DHS Chief Privacy Officer requires that all new PIAs follow this guidance after the
publication date of this guidance.
What is a PIA?
A PIA is an analysis of how personally identifiable information is collected, stored, protected,
shared and managed. "Personally identifiable information" is defined as information in a system
or online collection that directly or indirectly identifies an individual whether the individual is a
U.S. Citizen, Legal Permanent Resident, or a visitor to the U.S. In some cases, personal
information, such as a body scan, may be captured only for a short period of time. This still is
considered a collection, however, and a PIA would need to be conducted during the development
and prior to the deployment of the new technology.
The purpose of a PIA is to demonstrate that system owners and developers have consciously
incorporated privacy protections throughout the entire life cycle of a system. This involves
making certain that privacy protections are built into the system from the start, not after the fact
when they can be far more costly or could affect the viability of the project.
The PIA process requires that candid and forthcoming communications occur between the
program manager and the Privacy Office to ensure appropriate and timely handling of privacy
concerns. Addressing privacy issues publicly builds citizen trust in the mission of the
Department of Homeland Security.
Complying with the PIA Requirement
4
Previous Page
