Guide to U.S. Census Bureau Data Stewardship/Privacy Impact Assessments (DS/PIAs)
1.0 Data Stewardship Program
The U.S. Census Bureau has consolidated its data confidentiality, data access, and privacy activities
into a Data Stewardship Program, ensuring a focused and sustained level of effort toward data stewardship
issues. The mission of the program is to assure that the Census Bureau can effectively collect and use
data, while meeting its legal and ethical obligations, especially to respondents. These obligations
include fully meeting the legal, ethical, and reporting requirements levied by the Census Act, the
Privacy Act, the E-Government Act and other applicable statutes, including those of governmental and
other suppliers of data to the Census Bureau. Included are professional ethical responsibilities,
such as those articulated in the National Academy of Sciences’ report Private Lives and Public
Policies (1993). The Census Bureau honors its commitment to the highest standards through this
Data Stewardship Program.
At the core of the program is the Data Stewardship Executive Policy Committee (DSEP), the Census Bureau
executive staff focal point for decision-making and communication on privacy, security, confidentiality
and administrative records policy issues. The DSEP has adopted a set of Privacy Principles, based in
part on privacy guidelines issued by the Organization for Economic Cooperation and Development in 1980,
the Principles for Providing and Using Personal Information ("Privacy Principles"),
published by the Information Infrastructure Task Force in 1995, and the fair information principles of
the Privacy Act. These principles, which are aligned with our mission, guide us in achieving our
goals and objectives. Along with the privacy principles, the DSEP put in place new policies
(available upon request) that strengthen our cultural commitment to data stewardship.
The Privacy Impact Assessment (PIA) is one tool for implementing and creating awareness of data
stewardship policies. Privacy Impact Assessments are required by the E-Government Act of 2002
whenever "developing or procuring information technology . . . or initiating a new collection
of information . . . in an identifiable form . . . ." They also are required by Office of
Management and Budget (OMB) Circular No. A-11 and OMB Exhibit 300, "Capital Asset Plan and
Business Case," which tie together privacy considerations, executive agency funding requests,
and Enterprise Architecture (EA) requirements. PIAs also link project and system risk assessments
to ensure the provision of adequate security, as defined by OMB Circular A-130. Finally, PIAs
link Privacy Act and Paperwork Reduction Act requirements through identification of System of
Record Notices (SORNs) and Information Clearance Collection Request (ICRs).
2.0 Purpose of PIAs
The purpose of PIAs is to ensure no collection, storage, access, use, or dissemination of
identifiable respondent information (businesses and individuals) that is not needed or permitted.
According to OMB, "PIAs are structured reviews of how information is handled: (i) to ensure
handling conforms to applicable legal, regulatory, and policy requirements, (ii) to determine the
risks and effects of collecting, maintaining and disseminating information in identifiable form
in an electronic information system, and (iii) to identify and evaluate protections and alternative
processes for handling information to mitigate potential privacy risks."
Despite the use of the term "privacy," PIAs typically cover privacy, confidentiality,
integrity, and availability issues, which the Census Bureau equates with "data stewardship."
Therefore, the Census Bureau refers to these evaluations as Data Stewardship/Privacy Impact
Assessments (DS/PIAs).
3.0 Benefits of DS/PIAs
DS/PIAs facilitate data stewardship, management, awareness, and compliance efforts. At the
Census Bureau, DS/PIAs are also a project management tool, allowing program and project managers
to integrate data stewardship considerations into the planning and design phases of work. The
detail level assessment is based on specific data stewardship policies. This approach has the
advantage of early detection and avoidance of certain sensitivities altogether or of identifying
risk mitigation activities that may need to be incorporated into a funding request or change
management process.
4.0 The Census Bureau's DS/PIA Scope and Methodology
A full DS/PIA is conducted on programs whether they contained Personally Identifiable Information
(PII), Identifiable Business Information (IBI), or both. Identifiable information is defined as
information that directly identifies people or businesses. Examples include direct references
such as name, address, social security number, employer identification number, financial information,
or other identifying number or code such as telephone number, email address. It also includes any
information used separately or in combination to reference other data elements that are used for
identification such as gender, race, birth data, or geographic indicator. These two types of
identifiers (PII and IBI) allow identification of specific individuals or businesses, as defined
in the glossary.
A complete assessment ensures alignment with Census Bureau data stewardship strategies, goals,
principles and policies. The guidance from OMB directs that PIAs cover the following items:
- What information is to be collected.
- Why the information is being collected.
- The intended use of information by the agency.
- With whom the information will be shared.
- What notice or opportunities for consent would be provided to individuals regarding
what information is collected and how that information is shared.
- How the information will be secured.
- Whether a system of records is being created under Section 552a of Title 5,
United State Code, (commonly referred to as the "Privacy Act").
The Census Bureau DS/PIA addresses the OMB questions in 3 groups, two related to projects and
one related to supporting systems:
- Project -
- The nature and type of data being collected (OMB questions 1, 2, and 5 in part)
The activities surrounding the handling of, use of, and access to the data (OMB
questions 3, 4, 5 in part, and 7)
- Supporting Systems -
- The computer systems through which the data will pass and/or in which they will reside
(OMB question 6)
5.0 DS/PIA Process/Procedure
The review makes use of a structured tool--a series of questions that determine whether the planned
system or activity is consistent with our organization’s privacy principles, procedures, and
controls. The tool is used by program and project managers throughout the lifecycle of the project;
beginning as part of the initial decision making process when initiating and designing projects
involving the collection or use of identifiable data and the dissemination of protected products
by disclosure avoidance techniques. Staff familiar with the privacy principles, policies and the
DS/PIA tool, assist program managers in completing the DS/PIA through face-to-face meetings,
thereby ensuring consistency and understanding.
6.0 Structure of DS/PIAs
The Census Bureau’s DS/PIA exists in Microsoft Excel as a complete workbook. The workbook
is broken into the following sections, which are provided as separate "sheets."
- Sheet 1: Cover Page
- Sheet 2: Introduction
- Sheet 3: User Guide and Glossary
- Sheet 4: Assessment
- Sheet 5: System Write-up
- Sheet 6: Data Sensitivity
- Sheet 7: Activity Sensitivity
6.1 Sheet 1 Cover Page - identifies:
- program/project name
- related OMB Exhibit 300 document number if applicable
- PIA completion date.
6.2 Sheet 2 Introduction -
provides an overview of the Census Bureau’s DS/PIA process, tool, and the relationship
to the Census Bureau’s overall Data Stewardship Program.
6.3 Sheet 3 User Guide/Glossary -
provides an overview of the PIA tool and a glossary of frequently used terms.
6.4 Sheet 4 Assessment -
The DS/PIA Instrument poses a set of questions to program managers and is used to develop
the DS/PIA "score." The questions are grouped by Privacy Principle. The associated
Privacy Principle is identified in the first column of the sheet. The questions are also
grouped into Data and Activity "Sensitivities."
DR |
Data Risk Assessment |
DRM |
Data Risk Mitigation |
AR |
Activity Risk Assessment |
ARM |
Activity Risk Mitigation |
These sensitivities are identified in the second column of the spreadsheet throughout Sheet 4, Assessment.
Risk assessments represent elements of the program that introduce privacy-associated risks.
Mitigation activities represent adherence to and application of policy requirements that negate
the risks associated with a particular element. This assessment gives the manager opportunity
to consider what the most appropriate activities are and ensure all policy requirements are met.
See 6.4.3 Subsection 2 Net Scoring and 6.6 Risk Assessment for more information.
6.4.1 Subsection 1: Identification Section
Documents a clear link to OMB Exhibit 300 or IT Business Plan, and any applicable Paperwork
Reduction Act (PRA) Information Collection Request (ICR). Identifies program contact information
and the associated IT Security Plan(s).
6.4.2 Subsection 2: Questions organized by the Census Bureau’s four Privacy
Principles, addressing:
- Mission Necessity
- Openness
- Respectful Treatment of Respondents
- Confidentiality
6.4.2.1 Privacy Principle 1 Mission Necessity Questions Covers:
- breadth and depth of a data collection
- whether sensitive topics are addressed
(Sensitive topics are defined as: abortion; alcohol, drug, or other addictive products;
illegal conduct; illegal immigration status; information damaging to financial standing,
employability, or reputation; information leading to social stigmatization or discrimination;
politics; psychological well-being or mental health; religion; same-sex partners; sexual
behavior; sexual orientation; taxes; and other information due to specific cultural or
other factors.
6.4.2.2 Privacy Principle 2 Openness Questions Covers:
- tracking of notification for mandatory data collections and of consent for
voluntary data collections
- consent related to the use of proxies or data from third parties, which are
often, but not always administrative records from other federal agencies
- applicable System of Record Notices
6.4.2.3 Privacy Principle 3 Respectful Treatment of Respondents Questions Covers:
- actual data collection activities
- targeting of population groups
- burden
- frequency of the collection
- associated Paperwork Reduction Act (PRA) Information Clearance Request (ICR) Numbers
6.4.2.4 Privacy Principle 4 Confidentiality Questions Covers internal controls related to:
- need-to-know access
- use of off-site facilities
- data transfers among systems
- dissemination of products that have been protected by disclosure avoidance techniques
- archiving plans
- sensitive data (including sensitive topics, but broader) or information
6.4.3 Subsection 3 - Net Scoring
The DS/PIA uses responses to the series of questions in Sheet 4, Assessment, to measure
sensitivity and mitigation and calculate a net rating of low, medium, or high for the
"data" and "activity" aspects of a project. These two "net"
scores make up the Project Score. The last score, System Score, is obtained from the
security review and certification described on Sheet 5, IT System Security Evaluation.
6.4.4 Subsection 4 - Signature block
Documents the review and approval of the assessment by the Census Bureau program unit
Associate Director, Chief Information Officer, and Chief Privacy Officer.
6.5 Sheet 5 System Write-Up - IT System Security Evaluation
This narrative describes the specific mitigations in place for the particular IT systems
supporting a program. It also describes the Census Bureau’s IT security review and
certification process, which is undertaken for a computer system. The DS/PIA uses
results from this process for the System Score, as identified in 6.4.3 Subsection 3 - Net
6.6 Risk Assessment
An ordinal rating is used to assess the risk level of DS/PIAs. There are two sensitivity
matrix sheets, Data Sensitivity, and Activity Sensitivity. The Data Sensitivity Matrix
Sheet relates to the data questions on Sheet 4, Assessment. The Activity Sensitivity
Matrix sheet relates to activities questions on Sheet 4, Assessment.
There are several scores provided on each matrix. The first is the Total Unmitigated
risk level. This represents the risk level prior to or without consideration of the
mitigation activities undertaken for the program. The second score is the Net Sensitivity
score that represents the risk level after applying the mitigation strategies. It is this
"Net" score that is recorded on Sheet 4, Assessment, Subsection 3 Net Scoring.
These "Net" scores are calculated by determining the difference between the
total sensitivity scores and the total mitigation scores. The rating break points are:
<4 = LOW, 4-11 = MEDIUM, >11=HIGH.
Each matrix is separated into topic areas. Each of these topic areas is given a score
once mitigation scores are applied. This is used as a general gauge to determine where
additional risk mitigation strategies might be best applied or considered.
Mitigation
Project sensitivity may vary, however appropriate mitigation activities keep all projects
protected. The goal is to mitigate projects from high or medium to the medium or low levels.
Most of the mitigation questions ask about the applicability of and conformance to statute,
regulation, or policy. The Census Bureau’s suite of data stewardship policies covers
most of the data, activity, and systems sensitivity areas. In a few cases, policies are
under development. Therefore, the tool asks about additional activities that a program
area may voluntarily undertake to reduce or mitigate sensitivity or risk. The effect of
this is recorded on Sheet 7, Activity Sensitivity, as a final revised score if applicable.
Unmitigated Risk
In addition, because the scoring system used to identify the adequacy of mitigation
activities to sensitivities focuses on net, or mitigated results, it is possible that some
variation across programs may be masked. To address that concern, the unmitigated risk
score is provided on the Data and Activity Sensitivity sheets.
6.6.1 Sheet 6 Data Sensitivity
This sheet categorizes the "data" related questions asked on Sheet 4, Assessment,
into either "sensitivities" or "mitigations." These are identified as
"DR" for Data Risk Assessment and "DRM" for Data Risk Mitigation
throughout Sheet 4. For example, asking about a sensitive topic introduces "sensitivities"
to the project. Ensuring adherences to the Respondent Identification Policy, which
addresses within household confidentiality, is a mitigation activity. A score is
associated with each question to "net" a rating by topic of low, medium,
or high for each topical area.
6.6.2 Sheet 7 Activity Sensitivity
This sheet is organized in the same manner as the Data Sensitivity Sheet. It covers
activity-related question topics, such as those related to use of Special Sworn Status or
use of off-site facilities. These questions are identified as "AR" for Activity
Risk Assessment and "ARM" for Activity Risk Mitigation throughout Sheet 4, Assessment. |