Enclosure (1) to COMDTINST 5260.4A
The Department of Homeland Security is committed to analyzing and sharing information and
intelligence through all of its agencies so that the urgent task of protecting the homeland can be
carried out. At the same time, the Department should have in place robust protections for the
privacy of any personal information that we collect, store, retrieve and share.
These protections, embodied in Federal law, seek to foster three concurrent objectives:
Minimize intrusiveness into the lives of individuals;
Maximize fairness in institutional decisions made about individuals; and
Provide individuals with legitimate, enforceable expectations of confidentiality.
Federal law recognizes the ever-increasing amount of information stored in government systems
and the speed with which computers can process and transfer data. The E-Government Act of
2002 mandates an assessment of the privacy impact of any substantially revised or new
information technology system because of the potential privacy impacts from maintenance of
electronic databases. Similarly, the Homeland Security Act of 2002 acknowledges the
Department's role in collecting sensitive information about individuals and includes a
requirement that the Chief Privacy Officer of DHS assure that technology used by the
Department sustains privacy protections. The Homeland Security Act also recognizes the
potential effect of proposed rules on privacy and authorizes the Chief Privacy Officer to conduct
privacy impact assessments on proposed rules of the Department.
The document in which the Department memorializes its compliance with the E-Government
Act and Homeland Security Act is called a "Privacy Impact Assessment," or "PIA." A PIA
analyzes how personal information is collected, used, stored, and protected by the Department
and examines how the Department has incorporated privacy concerns throughout its
development, design and deployment of the technology and/or rulemaking.
The PIA is a document that helps the public understand what information the Department is
collecting, why the information is being collected, how the information will be used and shared,
how the information may be accessed, and how it will be stored. This document builds trust
between the public and the Department by increasing transparency of the Department's systems
and goals.
The PIA demonstrates that the Department considers privacy from the beginning stages of a
system's development and throughout the system's life cycle. The PIA process and the
document itself are intended to ensure that privacy protections are built into the system from the
start, not after the fact when privacy concerns can be far more costly to address or could affect
the viability of the project. Additionally, the PIA demonstrates that the system developers and
owners have made technology choices that reflect the incorporation of privacy into the
fundamental system architecture. In order to make the PIA comprehensive and meaningful, it
should involve collaboration between program experts, information technology experts, security
experts, and privacy experts.
The PIA is a living document that needs to be updated regularly as the program and system are
developed, not just when the system is deployed. In cases where a legacy system is being update
the PIA demonstrates that the system developers and program managers have implemented
privacy protections into the updates. The PIA for legacy systems making changes that affect
5
Previous Page
