Enclosure (1) to COMDTINST 5260.4A
Developing system revisions. If an organization modifies an existing system, a PIA
will be required. For example if a program adds additional sharing of information either
with another agency or incorporating commercial data from an outside data aggregator, a
PIA a required. Appendix I of this document provides extensive examples.
Issuing a new or updated rulemaking that affects personal information. If an
organization decides to collect new information or update its existing collections as part
of a rulemaking, a PIA is required. The PIA should discuss how the management of these
new collections ensures conformity with privacy law. Even if a program has specific
authority to collect certain information or build a certain program, a PIA is required.
Classified Information and Systems
A PIA should be conducted for all systems, including classified systems, but the program may
be exempted from the requirement to publish the PIA. Note that Privacy Office personnel are
cleared to read classified materials, and prior to public release of any PIA, all proper redactions
will be made.
Negative PIAs
In some instances, an organization may choose to develop a negative PIA. A negative PIA
documents why a full PIA is not necessary. For example, if the system does not collect
personally identifiable information, a short negative PIA will demonstrate that a traditional PIA
is not required. This is particularly useful for major budget submissions, so that decisions made
by the Privacy Office and the component are memorialized for subsequent budget submissions.
How to Conduct a PIA
Section 208 of the E-Government Act of 2002 states that agencies are required to conduct PIAs
for electronic information systems and collections. The Act requires agencies to make PIAs
publicly available. PIAs should be clear, unambiguous, and understandable to the general
public.
The length and breadth of a PIA will vary by the size and complexity of the system. Any new
system development that has major budget implications or involves the processing of personal
information should be able to demonstrate, through the PIA, that an in-depth analysis was done
to ensure that privacy protections were built into the system.
In order to give DHS PIAs a consistent look and feel, documents should be provided in Times
New Roman, 12 point font with 1" margins. All PIAs done after the effective date of this
amended guidance should be in the format outlined below. All questions should be answered. If