Enclosure (1) to COMDTINST 5260.4A
known address of a suspected Visa violator. In some cases the program may choose to "ping" the
database of the data aggregator rather than download extensive information. No matter how a
program decides to incorporate the use of a commercial data aggregator, a PIA would be
required.
Regarding "Private" Information
Personally identifying information should not be confused with "private" information. Private
information is information that an individual would prefer not be known to the public because it
is of an intimate nature. Personally identifying information is much broader; it is information
that identifies a person or can be used in conjunction with other information to identify a
person, regardless of whether a person would want it disclosed. If the information or collection
of information connects to an individual, it is classified as "personal information."
Example: A license plate number is personally identifying information because it indirectly
identifies an individual, but it is not deemed "private" because it is visible to the public. PIAs
require analysis of the broader "personally identifiable information," not just the narrower
"private information."
Regarding Privacy Act System of Records Notice (SORN) requirements v. PIA
requirements
The Privacy Act requires agencies to publish Systems of Records Notices (SORNs) that describe
the categories of personally identifiable information that they collect, maintain and use.
Generally, the requirements to conduct a PIA are broader and more frequent than the
requirements for System of Records Notices. The PIA requirement is triggered by both the
technology and the collection of information. Even if the collection of information remains the
same and is already covered by an existing SORN, if the technology using the information is
changing, the PIA must be completed or updated to reflect the new impact of the technology.
The PIA requirement does not provide an exemption for pilot testing programs. If the system is
being designed to handle personal information even in a pilot test, the PIA is required to be
published prior to the commencement of any pilot test. If in the process of developing a new
program, a SORN needs to be updated, a PIA will also be required.
When to Conduct a PIA
A PIA should be conducted when an office is doing any of the following:
Developing or procuring any new technologies or systems that handle or collect
personal information. A PIA is required for all budget submissions to OMB. The PIA
should show that privacy was considered from the beginning stage of system
development. If a program is beginning with a pilot test, a PIA is required prior to the
commencement of the pilot test even if real personal information is not going to be used
in the pilot test.
7