NIH Office of Management Assessment
logo
About the OMA
News & Events
Internet Links
logo
Jobs

What's NewContact Us!Site Index

Management Support
 OMA Collage
Program IntegrityOutside Review and LiaisonQuality ManagementManagment Support
Management Support



Privacy Act
Frequently Asked Questions

What are the current policies regarding the Privacy Act and the computer system we use? The question is prompted by a warning notice on our screens that says officials have the right to intercept all messages even with sensitive information in them. It closes by saying, "there is no right of privacy on this system". I'm all for us being able to investigate possible wrong doers, but where does this blanket "no right of privacy" come from? Also, since e-mail may, in certain circumstances, be intercepted, doesn't the entire system come under the Privacy Act? Shouldn't people from the outside who send us stuff be warned also?

Government e-mail systems are viewed as business systems for the purpose of conducting the Government's business. Although some limited, incidental personal use of e-mail may be permitted, there should be no assumption of privacy. The Privacy Act does not generally apply to the Government's e-mail systems. E-mail can be read from servers as it passes through, and by supervisors, and others, if necessary to fulfill their work-related responsibilities. Additionally, court decisions have supported e-mail as an agency business system and access to the e-mail. Current NIH policy is that e-mail which meets the definition of official records should be printed to hard copy and filed in a hard copy records system or transferred to an electronic records management system where appropriate security can be maintained. If you are sending private information via e-mail, it also requires appropriate security. Therefore, we suggest you password protect it (possibly as an attachment), print it, and file it to an official records management system. Please keep in mind, that supervisory officials would still have a right to read/review messages if they had a need to see the file. The potential scrutiny of e-mail is no different than that for Government mail or other records. It is only necessary to notify those individuals from whom personal information is collected, when it is collected and maintained in a system of records.

Who is my Privacy Act Officer/Coordinator?

The NIH Privacy Act Officer is Karen Plá, Division of Management Support, OMA, OM. For a listing of IC PA contacts, see PA coordinators.

Who is responsible for maintaining a list of Privacy Act systems of records and the current System Managers for systems in my IC/OD office?

The IC/OD Privacy Act Coordinator is responsible for maintaining this information.

Where would I find the System Notices that cover Personnel, EEO, Finance and Ethics Systems of Records (SORs)?

The GPO Access website listed below contains other agency system notices published in 2003. Some of these are HHS umbrella systems of records which NIH uses to cover its Personnel/EEO, and Finance records. The Ethics SORs linked below are Office of Government Ethics (OGE) umbrella systems which NIH uses to cover its Ethics records. NIH is in the process of developing its own Ethics SORs.

The GPO Access website offers a number of search options. One option is to click the URL below, scroll down to item # 3, System Number field, and type either 09-90-0018 or 09-90-0024. Then, hit the Submit button to obtain the text of the specific SOR.

GPO Access website: http://www.gpoaccess.gov/privacyact/2003.html

Personnel/EEO Records:

SOR # 09-90-0018, Personnel Records in Operating Offices, HHS/OS/ASPER

Finance Records:

SOR # 09-90-0024, Financial Transactions of HHS Accounting and Finance Offices, HHS/OS/ASMB

Ethics Records:

OGE/GOVT-1, Executive Branch Personnel Public Financial Disclosure Reports and Other Name-Retrieved Ethics Program Records:

OGE/GOVT-2, Executive Branch Confidential Financial Disclosure Reports:

What are the security requirements for Privacy Act systems of records?

Security requirements for Privacy Act systems of records are contained in the HHS Information Systems Security Program Policy at http://intranet.hhs.gov/infosec/docs/policies_guides/ISPPH/PG_ISPolicyv2_12_15_2005.doc.

What are the responsibilities of the system manager?
What is a system manager's responsibilities to the records?

Excerpt from PHS General Administration Chapter 45_10 Page 8

The System Manager or designee, in consultation with higher program management officials and the Privacy Act Officer/Coordinator:

a. Outreaching to their respective constituencies to inform them of their rights under the Privacy Act (e.g., program beneficiaries, research subjects, etc.)

b. Receiving, evaluating, and granting or denying, as appropriate, requests for notification of, access to, and disclosure of records in the system.

c. Maintaining an accounting of disclosures outside DHHS and ensuring that all recipients of information from records are informed whenever those records have been amended or statements of disagreement have been filed for inclusion in the record.

d. Amending (including expunging) records in cases where it has been determined at the request of the individual concerned that amendment is appropriate.

e. Notifying individuals whose requests for notification of, access to, or amendment of records pertaining to them have been denied, of their right to appeal, and of the appropriate official designated to render appeal decisions as cited in section PHS.hf: 45_10_35 above.

f. Ensuring that all records and data in the system are complete, accurate, timely, and relevant to the accomplishment of a function authorized by statute or Executive order of the President.

g. Monitoring a contractor's compliance with Privacy Act requirements for systems of records disclosed to or maintained by the contractor.

h. Conducting periodic risk analyses and security audits, and ensuring that the system is being maintained with adequate safeguards to preserve the integrity of the records and the information therein.

i. Formulating and maintaining records retention and disposal schedules, in consultation with the appropriate records management officer.

j. Ensuring that forms used to collect data directly from individuals comply with the requirements of section 3.(e)(3) of the Privacy Act.

k. Providing the appropriate PHS agency head or staff office director, or the designee of such official, with complete and accurate information for required Privacy Act reports and for development of updated system notices for Federal Register publication.

l. Ensuring that all employees under their supervision whose duties require that they work with the system of records receive adequate training both in their specific responsibilities under the Privacy Act, and in the statutory penalties for noncompliance.

If a system is used NIH wide is there a need to have system manager(s) in the institutes? What designates where a system manager is required?

This depends on the system and amount of control given to an IC. A Systems Manager has been identified in the ICs where the ICs have higher access and control of records.

Are you familiar with a Determination of Non-applicability of the Privacy Act? A contracting officer sent the following e-mail: "Do we still submit a Determination of Non-applicability of the Privacy Act (along with the statement of work) to your attention? I have a project plan from a project officer that states the Privacy Act doesn't apply to her procurement."

The RFC must contain a statement regarding applicability of the Privacy Act.When the Privacy Act applies, a copy of the applicable systems notice must be attached to the RFC. (See FAR Subpart 24.1). If a contract covers Privacy Act records, management for the government contract must include contract clauses: 52.224-1, Privacy Act Notification; and 52.224-2, Privacy Act.

Where can I find information on Privacy Impact Assessments (PIAs)?

  • ProSight FISMA Information and Links

  • Section 208 of the E-Government Act of 2002 - The full text.

  • OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 - Memorandum M-03-22 issued by OMB in September 2003.

  • Federal Information Security Management Act of 2002 (FISMA) - The full text.

  • OMB Memorandum M-05-15, FY2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management - Memorandum M-05-15 issued by OMB in June 2005.

  • HHS Privacy Impact Assessment (PIA) Form - Issued by the Department in January 2006.

  • Secure One HHS Privacy Impact Assessment (PIA) Guide (01/10/2007)

    The PIA guide outlines a standard approach for conducting a PIA for all Departmental systems. This guide also provides a summary of federal legislative, regulatory, and guidance requirements related to protecting information in identifiable form (IIF) contained in Departmental systems. Word version; .pdf version

  • Secure One HHS Privacy Page

  • NIH Privacy Impact Assessments - NIH Manual Chapter 1745-1.

  • NIH Privacy Impact Assessment (PIA) Guide

  • NIH PIA Training
    Black and white version or Color version

  • IT Security at NIH - The Center for Information Technology security homepage.

  • NIH Privacy Act System Notices - Systems of Records (SORs) at NIH.

  • NIH Web Page Privacy Policy - NIH Manual Chapter 2805.



    • National Institutes of Health OMA Home

    Last updated on:
    July 17, 2008

    National Institutes of Health
    OMA Disclaimer & Privacy Notice