Privacy Questions
Click on the questions below to see the answers to the FAQs.
Where can I get more information about how my information is used?
Who has access to my background investigation or FBI fingerprint check?
What federal regulations and guidance help protect my privacy?
How does FIPS 201 protect privacy?
I don't want everybody reading my personal information. Who sees this information?
-answers
Is my privacy protected?
The only persons authorized to see your personal information are personnel security, suitability, and investigations professionals who have the appropriate security clearance and who have a demonstrated need to access the information.
Back to the Top
Where can I get more information about how my information is used?
If you have questions regarding the use of your information, you may contact your NIH representative or contract project officer or see the Contact Us page. (add hyperlink to footer link)
Back to the Top
Who has access to my background investigation or FBI fingerprint check?
Information about you that we store to issue you an ID badge (PIV card) and run the program is considered a system of records subject to the Privacy Act of 1974, 5 U.S.C. § 552a(b). The Act permits NIH to give your information to: the appropriate government organization if your records show a violation or potential violation of law; to the Department of Justice, a court, or other decision-maker when the records are relevant and necessary to a law suit; to a federal, state, local, tribal, or foreign agency that has records we need to decide whether to retain an employee, continue a security clearance, or agree to a contract; to the Office of Management and Budget to evaluate private relief legislation; to agency contractors, grantees, affiliates, or volunteers, who need access to the records to do agency work and who have agreed to comply with the Privacy Act; to the National Archives and Records Administration for records management inspections; and to other federal agencies to notify them when your badge is no longer valid. NIH may also give your information to a Member of Congress or to congressional staff at your written request. The full system of records notice with complete description of routine uses was published in the Federal Register.
Back to the Top
What federal regulations and guidance help protect my privacy?
- The Privacy Act of 1974 (5 USC 552a) regulates the federal government's collection, use, maintenance, and dissemination of information about individuals.
- Section 208 of the E-Government Act of 2002 (PDF - 210 KB) (44 USC 36) establishes procedures to ensure the privacy of personal information in electronic records.
- Section 2.4, PIV Privacy Requirements, in Federal Information Processing Standards 201-1: Personal Identity Verification (PIV) of Federal Employees and Contractors (PDF – 1.04 MB), outlines privacy provisions.
- OMB Memorandum M-03-22: OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 provides specific guidance to agencies for implementing Section 208 of the E-Government Act.
- OMB Memorandum M-05-24: Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors (PDF - 141 KB) provides direct guidance for implementing for HSPD-12 and FIPS 201-1.
- OMB Memorandum M-06-06: Sample Privacy Documents for Agency Implementation of Homeland Security Presidential Directive (HSPD) 12 (PDF - 141 KB) contains sample privacy documents for agency implementation of HSPD-12. The documents contain an example of a System of Records Notice (SORN) for Personnel Security Files, SORN for Identity Management, ID Proofing and Registration Privacy Act Statement, Card Usage Privacy Act Statement, and a Privacy Impact Assessment (PIA) for Personal Identity Verification (PIV).
- OMB Memorandum M-06-15: Safeguarding Personally Identifiable Information (PDF - 375 KB) reemphasizes the many responsibilities under law and policy that agencies have to appropriately safeguard sensitive personally identifiable information and tasks the new Senior Agency Official for Privacy with conducting a review of all policies and processes.
How does FIPS 201 protect privacy?
During card issuance and life cycle management, all agencies are required to comply with FIPS 201, Section 2.4, "PIV Privacy Requirements," which outlines strict control measures to ensure the privacy of PIV card applicants and card holders is protected. In addition, Personally Identifiable Information (PII) stored on the card is minimal, as is PII acquired and retained by the issuance system. PII such as electronic fingerprints will be encoded as minutiae templates while stored on a PIV card. The PIV card, once activated, is in the control of the individual it identifies, who can then determine where and under what circumstances to present it. (Refer to OMB Memorandum 06-19 for additional information)
Back to the Top
FIPS 201 2.4 requires that all systems provide continuous auditing of privacy compliance covering collection, use, and distribution of information during program operation. Exactly what information needs to be recorded, how should it be recorded, and how should it be made available to the appropriate people?
Privacy Compliance is the responsibility of the Senior Agency Official for Privacy and should follow OMB guidance for privacy documentation. Part one of FIPS 201 outlines these requirements and NIST Special Publication 800-79 provides accreditation guidelines.
Back to the Top
Are there any specific requirements for when and/or how identity data should be protected, and who should or should not be able to access it? How does this requirement specifically affect communications with the IDMS and the FBI IAFIS for PIV-related fingerprint checks?
It is the responsibility of the Senior Agency Official for Privacy to ensure the identity data is properly protected from unauthorized disclosure. Agencies may use alternative methods for protecting information in transit and at rest. Interface specifications are under development and information on these may be accessed at http://www.idmanagement.gov. (Ref: FIPS 201, Section 2.4)
Back to the Top
I don't want everybody reading my personal information. Who sees this information?
The only persons authorized to see your personal information are Personnel Security, Suitability and Investigations professionals who have been investigated at the appropriate level and who have a genuine and demonstrated need for access to the information.