Skip to Main Content Skip to Left Navigation Skip to Footer
Commerce Seal montage illustrating the work Commerce does
 
Print without left or right navigation

IT Privacy Policy


U.S. Department of Commerce
Office of the Chief Information Officer

Information Technology Privacy Policy

What is Information Technology (IT) Privacy?
What are the federal laws and guidance that relate to the protection of privacy for individuals with businesses?
What are the privacy responsibilities of the Commerce Chief Information Officer (CIO)?
What is a Web Privacy Policy?
What is a machine readable Web Privacy Policy?
What is a Privacy Impact Assessment (PIA)?
For what systems or information collections must a PIA be completed?
What is personally identifiable information (PII)?
What is business identifiable information (BII)?
When is a PIA not required?
What is a PIA statement and what must it include?
What is the relationship between the PIA and requirements under the Paperwork Reduction Act (PRA) and the Privacy Act?
What is the relationship between the PIA and Exhibit 300?
What is the process for the review and publication of the PIA?
Who can provide additional information on this policy or other privacy issues?

What is Information Technology (IT) Privacy?

IT Privacy is the protection of personally identifiable or business identifiable information that is collected from respondents through information collection activities or from other sources and that is maintained by the Department of Commerce in its information technology (IT) systems. For purposes of this policy, this information is termed "identifiable information." Office of Management and Budget (OMB) guidance, consistent with the E-Government Act of 2002, protects personally identifiable information (PII). Commerce, through this policy, is extending the same protection to business identifiable information (BII).

Rapid advancements in computer technology make it possible to store and retrieve vast amounts of data of all kinds quickly and efficiently. These advancements have raised concerns about the impact of IT systems on the privacy of individuals and businesses. The Department of Commerce is committed to protecting identifiable information collected from individuals and businesses to the extent permitted by law. The Department will treat all identifiable information with fairness and respect, and ensure its integrity reflective of the stewardship responsibility for the information entrusted to it. To address these concerns, the Department of Commerce has adopted the following privacy principles:

    • Data Minimization: The Department of Commerce will collect the minimal amount of information necessary from individuals and businesses consistent with the Department's mission and legal requirements.

    • Transparency: Notice covering the purpose of the collection and use of identifiable information will be provided in a clear manner. Information collected will not be used for any other purpose unless authorized or mandated by law.

    • Accuracy: Information collected will be maintained in a sufficiently accurate, timely, and complete manner to ensure that the interests of the individuals and businesses are protected.

    • Security: Adequate physical and IT security measures will be implemented to ensure that the collection, use, and maintenance of identifiable information is properly safeguarded and the information is promptly destroyed in accordance with approved records control schedules.

What are the federal laws and guidance that relate to the protection of privacy for individuals and businesses?

    • The Privacy Act of 1974 (5 USC 552a) regulates the Federal Government's collection, use, maintenance, and dissemination of information about individuals.

    • Section 208 of the E-Government Act of 2002 (44 USC 36) establishes procedures to ensure the privacy of personal information in electronic records.

    • The Paperwork Reduction Act (PRA) of 1995 (44 USC 3501 et seq.) is designed to reduce the public's burden of answering unnecessary, duplicative, and burdensome government surveys.

    • The Trade Secrets Act (18 USC 1905) provides criminal penalties for the theft of trade secrets and other business identifiable information.

    • The Children's Online Privacy Protection Act of 1998 (15 USC 6501-06) regulates the online collection and use of personal information provided by and relating to children under the age of 13.

    • OMB Circular A-130, "Management of Federal Information Resources," establishes a policy for the management of Federal information resources, including automated information systems.

    • OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, provides specific guidance to agencies for implementing Section 208 of the E-Government Act.

What are the privacy responsibilities of the Commerce Chief Information Officer (CIO)?

The CIO has the responsibility for ensuring that identifiable information in IT systems is effectively protected and secured. Specific responsibilities include:

    • Develop IT privacy policy and guidance and ensure their dissemination and implementation throughout the Department. This includes policy and guidance for operating units on the preparation of Web Privacy Policies, conduct of Privacy Impact Assessments (PIAs), and posting of privacy policies and PIAs on Department of the Commerce Web sites used by the public.

    • Review PIAs, with the assistance of the Commerce Chief Privacy Officer.

    • Submit OMB-mandatory PIAs to OMB.

    • Prepare and submit to OMB an annual report on compliance with the privacy provisions of the E-Government Act of 2002.

What is a Web Privacy Policy?

The E-Government Act requires that agencies develop and post on agency Web sites privacy notices consistent with those required for systems of records under the Privacy Act. The Web Privacy Policy is a general notice on an agency Web site explaining agency information handling practices. OMB Memorandum M-03-22 identifies the content that must be included in the notice. See the Department of Commerce Web Privacy Policy on this requirement.

What is a machine readable Web Privacy Policy?

The E-Government Act also requires that agencies adopt machine readable technology that alerts users automatically about whether the site privacy practices match their personal privacy preferences so they can make an informed choice about whether to conduct business with that site. Privacy policy in standardized machine-readable format means a statement about site privacy practices written in a standard computer language (not English text) that can be read automatically by a Web browser.

In addition to having the Web Privacy Policy in machine-readable format, OMB encourages agencies to adopt other privacy protection tools that become available as the technology advances.

What is a Privacy Impact Assessment (PIA)?

A PIA is a process for determining the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system, and for identifying and evaluating protections and alternative processes to mitigate the impact to privacy of collecting information in identifiable form.

The E-Government Act requires that agencies conduct a PIA before (i) developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form or (ii) initiating a new electronic collection of information that will be collected from 10 or more persons, other than agencies, instrumentalities, or employees of the Federal Government, and will be maintained, or disseminated in an identifiable form, using information technology.

PIAs are conducted to ensure that there is no collection, storage, access, use, or dissemination of identifiable information from or about members of the general public and businesses that is not needed or authorized, and that identifiable information that is collected is adequately protected. PIAs may address issues relating to the integrity and availability of data handled by a system, to the extent these issues are not already adequately addressed in a System Security Plan.

Operating units should begin the PIA process when they propose a new IT system through the budget process that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed. The conduct of a PIA is a multidisciplinary process, and operating units should coordinate the efforts of system managers as well as experts in information technology, security, and privacy law and policy in determining whether a PIA should be conducted and in drafting PIAs. The system manager and the system developer must work together to conduct the PIA. The system manager must address what data are to be collected or processed, how the data will be used, and who will be authorized to use the data. The system developer must address what system protections are being applied or will be applied to ensure adequate protection of the data.

To conduct an effective and comprehensive PIA, the system manager and developer should include in the review process those individuals who have expertise in the program area, legal issues, privacy, records management, human resources, and any other subject matter area that may be applicable to the system under review.

For what systems or information collections must a PIA be completed?

PIAs must be completed for new systems and proposed information collections that contain personally identifiable information, including systems under development and systems undergoing major modifications. A PIA is not required for legacy systems and currently operational systems unless a major upgrade or significant change relative to the content or protection of data within the system is anticipated, and the system contains personally identifiable information.

OMB implementing guidance for the E-Government Act requires agencies to conduct a PIA before:

    • Developing or procuring IT systems or investments that collect, maintain, or disseminate information in identifiable form from or about members of the public, or

    • Initiating, consistent with the Paperwork Reduction Act, a new or significantly revised electronic collection of information in identifiable form for 10 or more persons (excluding agencies, instrumentalities, or employees of the Federal Government).

Commerce extends the requirement for PIAs to systems or collections of information that include business identifiable information before:

    • Developing or procuring IT systems or investments that collect, maintain, or disseminate information in identifiable form from or about companies or other business entities.

    • Initiating the collection, maintenance, or dissemination of information in identifiable form about companies or other business entities.

Commerce policy also extends the requirement for PIAs to systems or information collections of personally identifiable or business identifiable information that are:

    • Part of new multi-agency projects in which Commerce or a Commerce operating unit is a participant, or

    • Created, operated, or performed on a reimbursable basis by Commerce for another federal agency under an Interagency Agreement.

In general, PIAs are required to be performed and updated as necessary where a system change creates new privacy risks. Examples include:

    • When a paper based records system is converted to an electronic system.

    • When an existing electronic system is modified so that previously anonymous information becomes identifiable.

    • When new uses of an existing IT system, such as the application of new technologies, significantly change how identifiable information is managed in the system.

    • When databases holding identifiable information are merged, centralized, matched with other databases, or otherwise significantly manipulated.

    • When user-authenticating technology (e.g., password, digital certificate, or biometric) is newly applied to an electronic information system accessed by members of the public.

    • When agencies systematically incorporate into existing IT systems databases of information in identifiable form purchased from commercial or public sources.

    • When agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form.

    • When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of identifiable information.

    • When new identifiable information that is added to the system increases the risks to personal privacy (e.g., the addition of medical or financial information).

    • When a system with identifiable information is relocated to a remote site or a facility not under the direct control of the Department (e.g., a contractor's processing facility).

In addition, operating units may conduct discretionary PIAs as they determine to be appropriate and necessary.

What is personally identifiable information (PII)?

Personally identifiable information (PII) is information that identifies individuals directly or by reference. Examples include direct references such as name, address, social security number, and e-mail address. It also includes any information that could be used to reference other data elements that are used for identification, such as gender, race, and date of birth.

What is business identifiable information (BII)?

For the purpose of this policy, business identifiable information (BII) consists of (a) information that is defined in the Freedom of Information Act (FOIA) as "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential." (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. "Commercial" is not confined to records that reveal basic commercial operations" but includes any records [or information] in which the submitter has a commercial interest" and can include information submitted by a nonprofit entity.

Or (b) commercial or other information that, although it may not be exempt from release under FOIA, is exempt from disclosure by law (e.g., 13 U.S.C.)

When is a PIA not required?

A PIA is not required where information relates to internal government operations, has been previously assessed under an evaluation similar to a PIA, or where privacy issues are unchanged, as in the following circumstances:

    • For government-run Web sites, IT systems, or collections of information that do not collect or maintain information in identifiable form about members of the general public, as well as government employees, contractors, or consultants.

    • For government-run public Web sites where the user is given the option of contacting the site operator for the limited purpose of asking questions or providing comments.

    • For national security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology. (See section 202(i) of the E-Government Act.

    • When all elements of a PIA are addressed in a matching agreement governed by the computer matching provisions of the Privacy Act.

    • When all elements of a PIA are addressed in an interagency agreement permitting the merging of data for strictly statistical purposes and where the resulting data are protected from improper disclosure and use under Title V of the E-Government Act.

    • When operating units are developing IT systems or collecting non-identifiable information for a discrete purpose that does not involve matching with or retrieval from other databases that generate individual or business identifiable information.

    • For minor changes to an IT system or collection that do not create new privacy risks.

Although the E-Government Act and OMB guidance do not require that PIAs be conducted for systems that collect data about businesses, Commerce policy requires PIAs for systems with business identifiable information.

What is a PIA statement and what must it include?

The PIA statement is an analysis of how information is handled, including identification of IT risks and their resolution. The PIA must document the following elements:

    • Identifying information, including the OMB Exhibit 300 identification number; name of system or OMB information collection control number; related Privacy Act System of Records notice; and name, e-mail address, and phone number of a contact person.

    • Brief description of the system, its purpose, and the nature of the data that are to be protected.

    • Event or reason the PIA was conducted (e.g., new data collection, ongoing data collection, or reuse of existing data).

    • The law or regulation that authorizes the collection and maintenance of the information.

    • What information is being collected, maintained, or disseminated (e.g., nature and source).

    • Why the information is being collected, maintained, or disseminated (e.g., to determine eligibility).

    • Intended use of the information (e.g., to verify existing data).

    • With whom the information will be shared (e.g., another agency for a specified programmatic purpose).

    • What opportunities individuals or businesses have to decline providing information in the case of voluntary collections.

    • What opportunities individual or businesses have to consent to particular uses of the information and how they can grant consent.

    • How the information will be secured (e.g., administrative and technological controls).

    • Whether the collection will result in the creation of a system of records within the meaning of the Privacy Act.

The depth and content of the PIA statement should be commensurate with the size of the information system being assessed, the sensitivity of the information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information. For example, PIA statements for major information systems will reflect more extensive analyses of the consequences of the collection and flow of information; the alternatives to collection and handling as designed; privacy risk mitigation measures for each alternative; and the rationale for the final design choice or business process.

What is the relationship between the PIA and requirements under the Paperwork Reduction Act (PRA) and the Privacy Act?

OMB reviews and clears information collections. Pursuant to the PRA, all new information collections subject to the PRA must be submitted to OMB. Operating units undertaking new information collections using electronic means for collecting, processing, or storing the information must conduct a PIA. The resulting PIA statement must be submitted through the Department to OMB along with the information collection request (ICR) unless it has been submitted to OMB as part of the business case development process. All elements required to be in the PIA statement must be addressed and identifiable in the context of the structure of the Paperwork Reduction Act Submission (OMB 83-I) for the ICR.

Operating units need not conduct a new PIA for simple renewal requests for information collections under the PRA, but must separately consider the need for a PIA when amending an ICR to collect information that is significantly different in character from the original collection.

Similarly, operating units may choose to conduct a PIA when developing a system of records (SOR) notice required under the Privacy Act, in that the PIA and SOR notice overlap in content, e.g., the categories of records in the system, the uses of the records, and the policies and practices for handling. Operating units must separately consider the need to conduct a PIA when issuing a change to the SOR notice. For example, a change in the type or category of record added to the system may warrant a PIA.

What is the relationship between the PIA and Exhibit 300?

The PIA statement must clearly indicate the link between the privacy system or information collection covered by the PIA and the related major information system described in OMB Exhibit 300, "Capital Asset Plan and Business Case." The PIA must indicate prominently the unique ID of the Exhibit 300 business case to which it relates and whether it covers the complete system identified in the Exhibit 300 or only one of several subsystems or information collections that are part of the major system in the Exhibit 300. The Exhibit 300 must state whether there is an accompanying PIA statement.

What is the process for review and publication of the PIA?

When an operating unit conducts either a mandatory or discretionary PIA, the operating unit must send the resulting PIA statement to the Commerce CIO for review. The Commerce CIO and the Chief Privacy Officer will review the PIA, and the CIO and/or Chief Privacy Officer will consult with the operating unit to resolve any concerns. When concerns are resolved, the CIO, with the concurrence of the Chief Privacy Officer, will submit OMB-mandated PIA statements addressing personally identifiable information to OMB for review.

The E-Government Act and OMB implementing guidance require agencies to make their mandatory PIA statements addressing personally identifiable information available to the public. The PIA statement should not be made publicly available to the extent that publication would raise security concerns or reveal national security or other sensitive information. A summary of the PIA that omits this sensitive information should be prepared for public availability. Identifiable information should not be included in the PIA statement and cannot be the basis for not making the PIA statement publicly available.

PIA statements associated with budget proposals submitted to OMB or prepared for submission to OMB are pre-decisional, and are not to be made public unless and until OMB approves the budget proposal and includes it in the President's Budget. PIA statements associated with information collection requests (ICRs) are not to be made public unless and until OMB approves the ICR.

Subject to the restrictions immediately above, at the completion of the Commerce and OMB PIA statement review process, the operating unit must publish the PIA statement or a summary of the PIA statement addressing personally identifiable information on its Web site. In the case of a PIA statement that is associated with a budget request in the President's Budget, the PIA statement or a summary of the PIA statement addressing personally identifiable information should be made available promptly to the public upon the delivery of the President's Budget to the Congress.

For Commerce-mandated PIA's that address business identifiable information and for other OMB-discretionary PIAs, the operating unit must send the completed PIA statement to the Commerce CIO for review by the Commerce CIO and the Chief Privacy Officer. These PIAs are conducted pursuant to Commerce policy; they are not sent to OMB. After review by the Commerce CIO and the Chief Privacy Officer, the operating unit is to make a decision, in consultation with the Commerce CIO and the Chief Privacy Officer, as to whether the PIA statement or a summary of it should be made publicly available on the operating unit's Web site.

Who can provide additional information on this policy or other privacy issues?

For information on the provisions of this policy related to the E-Government Act or the Paperwork Reduction Act, contact Diana Hynek (dhynek@doc.gov) or Dan Rooney (drooney@doc.gov) in the Office of the CIO or Robert Cresanti (RCresanti@technology.gov), the Department's Chief Privacy Officer.

For information on provisions of the Privacy Act, contact Brenda Dolan (bdolan@doc.gov), the Department's Privacy Officer.

Supersedes policy dated: None
Origination date: July 30, 2004
Approved by: Thomas N. Pyke, Jr., Chief Information Officer, July 30, 2004
Revision status: Maintenance update January 29, 2007
Last Updated:
May 21, 2007
Questions regarding this section may be directed to the IT Privacy Administrator