TREASURY DIRECTIVE: TD 25-07
DATE: August 06, 2008
SUBJECT: Privacy Impact Assessment (PIA)
1. PURPOSE. This directive states policy and assigns responsibilities for implementing the privacy provisions of the E-Government Act of 2002 (the Act). The purpose of the Act is to ensure sufficient protections for the privacy of personal information of the public as the Department implements citizen-centered electronic government, and authorizes Treasury Department Publication (TD P) 25-07, "Privacy Impact Assessment Manual."
2. SCOPE. This Directive applies to all bureaus, offices, and organizations in the Department of the Treasury that are responsible for conducting privacy impact assessments.
3. DEFINITIONS.
a. Bureau Heads – The individual responsible for leading each bureau, including the Treasury Inspector General, the Treasury Inspector General for Tax Administration, and the Assistant Secretary for Management and Chief Financial Officer (for Departmental Offices). The authority of the Inspectors General is set forth in Section 3 of the Inspector General Act and the Internal Revenue Service Restructuring and Reform Act, and defined in Treasury Order 114-01 (OIG) and Treasury Order 115-01 (TIGTA), or successor orders. The provisions of this directive shall not be construed to interfere with that authority.
b. Individual - A citizen of the
c. Information in an identifiable form (IIF) -
Information in an IT system or online
d. Information Technology (IT) - As defined in the
Clinger-Cohen Act, any equipment,
e. Privacy Impact Assessment (PIA) - An analysis of
how information is handled: (i) to
f. Privacy Threshold Analysis (PTA) – An
abbreviated assessment used to determine
g. Reviewing Official - The Department or bureau/office
Chief Information Officer (CIO)
h. System Developer - Staff that designs, develops, and
integrates a system for the system
i. System Owner - The official in the program office who
is responsible for the use of the
4. POLICY.
It is the policy of the Department of the Treasury to:
a. perform a PTA when a new system development is initiated, or an enhancement or modification is undertaken on an existing system to determine if IIF is present and is either from or about the public;
b. conduct a PIA before developing or procuring information technology (IT) systems or projects that collect, maintain, or disseminate information that is in an identifiable form from or about members of the public;
c. conduct a PIA when issuing new or updated rulemaking that affects personal information and when initiating, consistent with the Paperwork Reduction Act, a new electronic collection of information in identifiable form for ten or more persons (excluding agencies, instrumentalities, or employees of the federal government);
d. require that under any IT contract any activities or functions performed on behalf of the Department be conducted in accordance with the E-Government Act;
e. conduct and update PIAs as necessary where an IT system change creates new privacy risks;
f. update PIAs to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form;
g. make the PIA and, if prepared, a summary publicly available on the website (consistent with executive branch policy on the release of information about systems for which funding is proposed) in the Federal Register or through other means; and h. protect the privacy of personal information collected in federal records and on federal web sites pursuant to all statutes relating to agency use, collection, and disclosure of such information.
5. RESPONSIBILITIES.
a. Deputy Assistant Secretary for Privacy and Treasury Records (DASPTR) shall:
1) establish policies, procedures, and standards to conduct PIAs and provide oversight for the implementation of Section 208 of the Act;
2) provide oversight and assist bureaus and offices to ensure that they comply with the guidelines for conducting PIAs;
3) review bureau and office PIAs, provide PIA training, and establish a process to conduct PIA compliance reviews;
4) coordinate the annual report to OMB on the Department
5) disseminate additional policy appropriate to this subject and provide, as necessary, assistance to bureaus and offices in policy implementation; and
6) provide policy guidance and direction on privacy protection matters as they relate to the Privacy Act and the implementation of those portions of Section 208 of the E-Government Act relating to the protection of the privacy rights of individuals.
b. The Bureau Heads shall:
1) conduct privacy impact assessments for information systems and information collections before developing, or procuring such systems or initiating any new information collections containing either IIF from or about the public;
2) evaluate the measures for protecting privacy in IT systems that are acquired, developed, enhanced, maintained and terminated in accordance Treasury PIA guidance (additional guidance shall be defined in TD P 25-07, the PIA Manual);
3) make PIAs publicly available on the bureau public website, in the Federal Register, or by some other means;
4) ensure adequate participation in the PIA process from all pertinent functional areas, e.g., the IT Security Officer, Privacy Act Officer, the System Developer, the Business Owner;
5) conduct privacy impact assessment training and provide guidance to employees and contractors who are involved in conducting PIAs;
6) ensure that PIAs are submitted to the Office of the Chief Information Officer, as supporting documentation to the Exhibit 300s for IT investments;
7) designate appropriate bureau and office officials, who will be responsible for implementing Section 208 of the Act, serving as the principle contacts for IT and web matters, and serving as the reviewing official for PIAs; and
8) work with the bureau Privacy Act Officer and IT Security Officer who will provide critical review and analyses of privacy and security issues related to PIAs within their respective organizations.
6. PROCEDURES.
Detailed guidelines shall be set forth in TD
P 25-07, Privacy Impact Assessment Manual.
7. AUTHORITIES.
a. Consolidated Appropriations Act of 2005, Public Law 108-447, Division H, Section 522.
b. E-Government Act of 2002, Public Law 107-347, Section 208, and Title III, the Federal Information Security Management Act.
c. Clinger-Cohen Act, Public Law 104-106, Division E.
d. Paperwork Reduction Act of 1995, Public Law 104-13.
e. Privacy Act of 1974, Public Law 93-579, as amended.
f. Treasury Order 102-25, "Delegation of Authority
Concerning Privacy and Civil
8. REFERENCES.
a. OMB Circular A-123, “Management Accountability.”
b. OMB Circular A-130, "Management of Federal Information Resources."
c. TD 80-05, "Records and Information Management Program."
d. TD P 80-05, “Records and Information Management Manual.”
e. TD P 84-04, “Information System Life Cycle Manual.”
f. TD P 85-01, “Treasury Information Technology Security Program.”
g. OMB M-03-22, "OMB Guidance for Implementing the Privacy Provisions of the EGovernment Act of 2002."
9. OFFICE
OF PRIMARY INTEREST. Office of the Deputy Assistant Secretary for
/S/
Peter B. McCarthy
Assistant Secretary for Management
and Chief Financial Officer