Federal Emergency 
Management Agency


Submitted by
William S. Prusch
Chief, System Engineering and Development Branch
Information Technology Services Division
Federal Emergency Management Agency


TABLE OF CONTENTS
1	INTRODUCTION				2
1.1	Background				2
1.2	Scope					3
2	AGENCY PROCESS				5
2.1	System Description			5
2.2	Reason for Collecting Privacy Data	5
2.3	Information Type			6
3	PRIVACY IMPACT ANALYSIS			7


Appendix A Data Elements			10
Appendix B FEMA Form 90-69			15


1	INTRODUCTION
The Department of Homeland Security (DHS)/Emergency Preparedness and Response 
(EP& R)'s/Federal Emergency Management Agency (FEMA's) objective of this Privacy 
Impact Assessment (PIA) is to identify and to address the safeguarding of personal 
information that may result from our proposed addition of an electronic method (via the 
Internet) of data collection of disaster assistance applications from individuals.  This 
electronic (Internet) method of collecting individuals' personal information on the Federal 
Emergency Management Agency (FEMA) Form 90-69 will not alter the data elements 
currently covered by the existing approved system of records (e.g. paper applications).  
This PIA document reexamines the privacy implications to ensure that adequate privacy 
considerations and protections have been applied to this electronic framework.
1.1	Background
Rapid advancements in computer technology make it possible to store, retrieve, and 
associate vast amounts of data quickly and efficiently.  These advancements have raised 
concerns about the impact of large computerized information systems on the privacy of 
individuals who submit their personal data.  Public concerns about highly integrated 
information systems operated by the government make it imperative to commit to a 
positive and aggressive approach to protecting individual privacy.  Further, there are legal 
requirements to address these issues as derived from the following references:

-	Privacy Act of 1974, as amended, 5 U.S.C. 552a (the "Privacy Act"), Public Law 
	93-579; 
-	Computer Security Act of 1987, Public Law 100-235, 40 USC §759; 
-	Clinger-Cohen Act of 1996, Public Law 104-106; 
-	Paperwork Reduction Act of 1995, 44 U.S.C. 3501, et seq., as amended; 
-	Freedom of Information Act, 5 U.S.C. 552 (2000); 
-	Office of Management and Budget (OMB) Circulars A-130:  Management of 
	Federal Information Resources  (1996) 
-	Office of Management and Budget (OMB) Circulars A-123:  Management 
	Accountability and Control (1995).  

In order to provide assistance to victims of a disaster, the DHS/EP& R/FEMA must 
collect, store, and manage detailed data on individuals, which is subject to privacy 
protections in accordance with the foregoing references.  
In addition to the foregoing privacy-related documents, FEMA's National Emergency 
Management Information System (NEMIS), which hosts this system of records, complies 
with the following guidelines to protect the data stored in the NEMIS databases from 
unauthorized access:

-	Federal Information Security Management  Act (FISMA) Title III of the E-
	Government Act Public Law 107-347
-	Government Paperwork Elimination Act (GPEA) Sec 1702 
-	Computer Fraud and Abuse Act of 1986, public law 99-474, 18 USC §1030
-	 Presidential Decision Directive: Critical Infrastructure Protection (PDD-63) 
-	Executive Order 13010 Critical Infrastructure Protection  
-	Office of Management and Budget OMB Circular A-123, Management 
	Accountability and Control 

-	OMB Circular A-127, Financial Management Systems
-	OMB Circular A-130, Management of Federal Information Resources, Appendix 
	III, Security of Federal Information Resources
-	National Information Standard Technology (NIST) Special Publications (SP) 800-
	18, Guide for Developing Security Plans for Information Technology Systems
-	NIST SP 800-14, Generally Accepted Principles and Practices for Securing 
	Information Technology Systems
-	NIST SP 800-26, Security Self-Assessment Guide for Information Technology 
	Systems
-	NIST SP 800-30, Risk Management Guide
-	NIST SP 800-34, Contingency Planning for IT Systems

In accordance with our existing Privacy Act system of records, the "Disaster Recovery 
Assistance Files", (66 FR 51436--October 9, 2001), FEMA collects this personal 
information through applications in one of two ways.  1) Through applications in hard 
copy (paper) form when an individual fills out a paper application, or 2) by the telephone 
interview method, by which an individual calls FEMA through a published disaster 
assistance phone number, and a teleregistrar reads all of the questions, and inputs the 
individual's answers directly into NEMIS.   

In accordance with our existing Privacy Act system of records, FEMA collects this 
information in hard copy (paper) form, and stores it electronically in the NEMIS system.   
Specifically, the information has been collected from individuals either through 
applications in paper form by an individual filling out an application (which is input into 
the system by FEMA's data entry staff), or via telephone interviews with disaster victims 
who call in to a published disaster assistance number where FEMA employees record 
their personal application information directly into the NEMIS system.  In either case, the 
same type of personal information goes into the already existing Privacy Act system of 
records (the "Disaster Recovery Assistance Files") to be processed by the system.
The system used to store and process these data is the National Emergency Management 
Information System (NEMIS) Individual Assistance (IA) Module.  In the telephone 
interview process, NEMIS provides the teleregistrars with the exact questions to be read 
to the applicant. The teleregistrar then enters the applicant's verbal response into the 
corresponding entry on the form. This proposed modification to the NEMIS IA module 
will use the same tools and processes except that the question will be displayed to the 
applicant electronically, via the Internet rather than being read to the applicant by a 
teleregistrar.  The applicant will then enter the information into the system via the 
Internet.  A 128-bit encrypted secure Internet connection will be used. 
1.2	Scope
We propose to make the Internet available for individuals to apply for disaster assistance 
in addition to the paper FEMA Form 90-69 application, and calling in through the 
telephone interview method.  The proposed upgrade to the existing NEMIS IA Module 
would allow disaster victims an additional method to apply (electronically through 
accessing the Internet) for Individual Assistance (IA) disaster assistance.  The new 
electronic method of applying for disaster assistance is the reason for this Privacy Impact 
Assessment (PIA).  The Internet process will collect the same information that is 
currently collected by the paper and the telephone interview process under the existing 
Privacy Act system of records.  Once collected, the Internet-supplied information from 
the individual will be processed and protected in the same manner with the same 
electronic safeguards in NEMIS, as the information transcribed from the paper form , or 
entered during the telephone interview method.  In effect, the FEMA Form 90-69, 
"Disaster Assistance Registration/Application" form will be accessible electronically 
over the Internet at FEMA's website via a 128-bit secure connection.  The FEMA web 
site will be advertised on //WWW.FEMA.GOV.

A description of the specific types of personal data to be collected on the FEMA Form 
90-69 is itemized within Appendix A.  

This PIA describes the IA programs and the NEMIS system's processes for protecting the 
privacy of personal information collected for disaster assistance in accordance with the 
Department of Homeland Security (DHS) Privacy Office's policy on the electronic 
collection of personal information.  This PIA is intended to:
-	Determine the risks and effects of collecting, maintaining and disseminating 
	information in identifiable form in an Internet-capable electronic information 
	system, and 
-	Evaluate protections and alternative processes for handling information to 
	mitigate potential privacy risks.  



2	AGENCY PROCESS
The Department of Homeland Security's Privacy Office has made protecting the privacy 
of ordinary citizens a top priority.  The NEMIS IA Module is in full compliance with this 
priority. 
2.1	System Description
NEMIS is an enterprise-wide automated system that integrates hardware, software, 
telecommunications, applications software, and operational procedures to handle the 
processing and management of disaster victim assistance to individual citizens and public 
assistance to State and local government entities.  FEMA works closely with the Small 
Business Administration (SBA), and may share selected data with the SBA.  Formalized 
agreements are in place with SBA for the information sharing  to be limited to "official 
use" only for FEMA and SBA purposes.  State governments are granted  limited access to 
data from only its State's citizens.  In both cases, access to the data is limited and 
controlled.  Only authorized FEMA officials have access to the composite data source.

Data submitted via the Internet are input via a 128-bit Secure Socket Layer (SSL) Internet 
connection.  The disaster victim, who supplies the data originally, may access only their 
own personal data and no other applicant's.  The disaster victim authenticates their own 
information at the time of submission of their own data.  Each individual is granted only 
limited access through a user id, password, and personal identification number (PIN) 
supplied by FEMA, in order to gain subsequent access only to their own data.  Access to 
the data is granted in accordance with National Institute for Standards and Technology 
(NIST) Level 2 Assurance Level.  Exposure of the data via the Internet is highly 
restricted and controlled in several layers to protect the data.  No user accounts on the 
Internet are permitted direct access to the NEMIS database.  The user's request for his 
specific record passes through three firewalls and the request is serviced by a trusted 
account behind the third firewall.  The single record results are then passed back to the 
user, thus protecting the database.  Each firewall serves to prevent unauthorized intruders 
from gaining access to systems behind that firewall.  FEMA has implemented a series of 
these protection zones, which require successive penetration of each firewall to gain 
access to the subsequent one unless an authorized account is used.
2.2	Reason for Collecting Privacy Data
The collection of such personal information is necessary for FEMA to carry out its 
mission of assisting individuals who apply for disaster assistance benefits under the 
Robert T. Stafford Disaster Relief and Emergency Assistance Act.  Complete legal 
descriptions are provided in Appendix B.
The Internet-based data collections provide disaster victims an alternate means of 
submitting their requests for disaster assistance, (e.g. electronically) especially when the 
phone teleregistration process is unavailable due to high demand after a disaster.  This 
method of delivery of service is strongly endorsed and supported by the Public Law 106-
107 and the President's Government to Citizens Initiative as discussed at 
www.whitehouse.gov/omb/egov/pres_initiatives.htm.   
When the information is processed, the individual's record is automatically updated to 
reflect the status of their specific application.  Applicants may call to check on the status 
of their application, and the individual may also call in updates to the personal 
information on their application.  It is especially important to maintain up-to-date 
information on the applicant that will speed up the application processing and render 
assistance quickly and equitably.  These limited updates include an individual's 
temporary address and phone number, social security number, and bank routing and 
account numbers for electronic funds transfers, where appropriate.  Accordingly, we are 
proposing to add a corresponding Internet capability that will provide applicants the 
ability to inquire about the status of their own applications only, and to update only their 
limited personal data electronically. 
2.3	Information Type
Under the currently existing Privacy Act system of records, the FEMA IA Program staff 
collects the following types of privacy information in order to identify the individual 
applying for disaster assistance: an individual's name, home address, Social Security 
number, home phone number, temporary address and phone numbers, personal financial 
information including applicant's bank name, bank account information, insurance 
information, individual or household income, the home's number of occupants, and the 
dollar amount of their disaster losses.  A detailed description of each element and a copy 
of the FEMA Form 90-69 from which the information is extracted is provided in 
Appendix A.

Depending on the nature of the disaster/emergency and subsequent losses, individuals 
may be referred to other Federal, state or local agencies and organizations authorized to 
provide disaster assistance, such as the Small Business Administration, the American Red 
Cross, the Internal Revenue Service, etc.  The applicant is informed when FEMA initially 
collects their personal information collection about the Privacy Act and the possible 
sharing of their information with these referral agencies.  The sharing proceeds pursuant 
to one of the routine uses published in the existing system of records, Disaster Recovery 
Assistance Files, which will published very shortly in the Federal Register. 


3	PRIVACY IMPACT ANALYSIS
	DHS guidelines and Federal Law require a PIA when:
-	Creating any new collection of personal information
-	Employing, developing and/or procuring any new technology or system that can 
	store and thus reveal a person's identity
-	Creating new database(s) or view(s) from old databases or systems

This privacy impact assessment was conducted because this major system enhancement 
adds a new method of collecting the existing personal information data elements 
(electronically via the Internet) that  may pose some privacy concerns.
The detailed privacy impact assessments are provided in Part A.


APPENDIX A
DATA ELEMENTS
Application/Registration for Disaster Assistance
FEMA Form 90-69

Field 1. 
-	Selection of prefix or title, such as Mr. or Ms. 
-	Last name, first name, and middle initial of the applicant.
-	Name suffix such as, Jr., Sr., etc.
Field 1.a. 
-	Language Spoken by the applicant. 
Field 2. 
-	Applicant's social security number (SSN). 
Field 3. 
-	Full physical street address at which the damage occurred. 
Field 4. 
-	Date the damage occurred. 
Field 5. 
-	Phone number used in the applicant's home at the 
	time of the disaster.
-	Second phone number that was in the home at the time of the disaster.
Field 6. 
-	Current Phone No.
Field 7. 
-	Applicant's e-mail address. 

Field 8. 
-	Cause of Damage to the home
Field 9. 
-	Current Location where the applicant is living.
Field 10. 
-	Applicant's mailing address. 
Field 11. 
-	If the applicant's current mailing address is not located in the U.S. or one of its 
	territorial possessions (e.g., Puerto Rico, Virgin Islands, Guam), please enter the 
	full Foreign Address. 
Field 12. 
-	If the applicant has Essential Needs YES/NO
Field 13. 
-	If the applicant has damage to the home (e.g., electrical, heating, floors, walls, 
ceilings, and foundation), check Yes. 
-	If the applicant's home is unsafe, check Yes. 
-	Check Unknown if the applicant does not know if the home is 
	damaged or unsafe.
Field 13a. 
-	Primary Residence
Field 13b. 
-	Own or Rent: check box selection
Field 13c 
-	Residence type: check box selection but allows for Other selection w/ comment
Field 14. 
-	Personal Property Damage: YES/NO
Field 15. 
-	Utilities out: YES/NO
Field 16. 
-	Inaccessible Due to the Disaster: YES/NO
Field 17. 
-	Inaccessible due to mandatory Evacuation: YES/NO
Field 18. 
-	Lost time at work: YES/NO
Field 19. 
-	Medical, Medical Personal Property, and/or Dental Expense: YES/NO
-	Insurance Coverage: YES/NO
-	Insurance company name.
-	Amount.
Field 20. 
-	Moving/Storage: YES/NO
-	Insurance Coverage: YES/NO
-	Insurance Company.
-	Amount.
Field 21. 
-	Other Expenses: YES/NO
Field 22. 
-	Funeral Expense: YES/NO
Field 23. 
-	Business Affected: YES/NO
-	Business name.
-	Business Related Essential Tool/Equipment: YES/NO
-	Does your business operate as a Private not-for-Profit Org.?: YES/NO
Field 24. 
-	Farm or Ranch Damage: YES/NO
Field 25. 
-	Total number of vehicles for the household. (year, make, and model). Insert 
	information.
-	Vehicles Damaged: YES/NO
-	Provide information IN TABLE: Comprehensive and/or Liability Insurance, and 
	if the vehicle(s) is registered. 
-	Total number of vehicles for the household that are drivable. Insert number.
Field 26. 
-	IN TABLE: List the type of insurance that the applicant held at the time of the 
	disaster, including but not limited to sewer backup, earthquake, real property, 
	and/or personal property.  Include the name of the insurance company.

Field 27. 
-	IN TABLE: List information for the applicant and all other persons/dependents, 
	whether or not they are related to the applicant,  who considered the home to be 
	their primary residence at the time of the disaster.  It is important that the 
	applicant's SSN be included. 
Field 28. 
-	Self-employed as a Primary Source of Income: YES/NO
-	Primary Source of Income: insert information
-	Number of claimed dependents: insert information.
-	Combined individual or household pre-disaster gross Income: insert information. 
	Check box: (weekly, bi-weekly, monthly, quarterly, or yearly). 
Field 29. 
-	Electronic Funds Transfer: YES/NO
-	Institution name: enter information
-	Routing No.: enter information (9 digit number)
-	Account type by marking the Checking or Savings box.
-	Account no.: enter information.
Field 30. 
-	Enter any additional comments as necessary.







APPENDIX B: FEMA Form 90-69
Indiviual Assistance Privacy Impact Assessment		September 21, 2004