TREASURY DIRECTIVE: TD 25-07

 

DATE: August 06, 2008

 

SUBJECT: Privacy Impact Assessment (PIA)

 

1. PURPOSE. This directive states policy and assigns responsibilities for implementing the privacy provisions of the E-Government Act of 2002 (the Act). The purpose of the Act is to ensure sufficient protections for the privacy of personal information of the public as the Department implements citizen-centered electronic government, and authorizes Treasury Department Publication (TD P) 25-07, "Privacy Impact Assessment Manual."

 

2. SCOPE. This Directive applies to all bureaus, offices, and organizations in the Department of the Treasury that are responsible for conducting privacy impact assessments.

 

3. DEFINITIONS.

 

a. Bureau Heads – The individual responsible for leading each bureau, including the Treasury Inspector General, the Treasury Inspector General for Tax Administration, and the Assistant Secretary for Management and Chief Financial Officer (for Departmental Offices). The authority of the Inspectors General is set forth in Section 3 of the Inspector General Act and the Internal Revenue Service Restructuring and Reform Act, and defined in Treasury Order 114-01 (OIG) and Treasury Order 115-01 (TIGTA), or successor orders. The provisions of this directive shall not be construed to interfere with that authority.

 

b. Individual - A citizen of the United States or an alien lawfully admitted for permanent residence.

 

c. Information in an identifiable form (IIF) - Information in an IT system or online collection: (i) that directly identifies an individual, or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification.

 

d. Information Technology (IT) - As defined in the Clinger-Cohen Act, any equipment, software or interconnected system or subsystem that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

 

e. Privacy Impact Assessment (PIA) - An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

 

f. Privacy Threshold Analysis (PTA) – An abbreviated assessment used to determine whether a PIA is required under Section 208 of the E-Government Act of 2002. The PTA is used to document the presence of IIF from or about the public and is the basis for identifying the need for a PIA.

 

g. Reviewing Official - The Department or bureau/office Chief Information Officer (CIO) or a designated official other than the official procuring the system or conducting the PIA.

 

h. System Developer - Staff that designs, develops, and integrates a system for the system owner. The system developers must address whether the implementation of the owner’s requirements present any threats to privacy.

 

i. System Owner - The official in the program office who is responsible for the use of the system and who implements the legal information resources management requirements of the Department, such as per the guidance contained in OMB Memorandum 03-22, dated September 26, 2003.

 

4. POLICY. It is the policy of the Department of the Treasury to:

 

a. perform a PTA when a new system development is initiated, or an enhancement or modification is undertaken on an existing system to determine if IIF is present and is either from or about the public;

 

b. conduct a PIA before developing or procuring information technology (IT) systems or projects that collect, maintain, or disseminate information that is in an identifiable form from or about members of the public;

 

c. conduct a PIA when issuing new or updated rulemaking that affects personal information and when initiating, consistent with the Paperwork Reduction Act, a new electronic collection of information in identifiable form for ten or more persons (excluding agencies, instrumentalities, or employees of the federal government);

 

d. require that under any IT contract any activities or functions performed on behalf of the Department be conducted in accordance with the E-Government Act;

 

e. conduct and update PIAs as necessary where an IT system change creates new privacy risks;

 

f. update PIAs to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form;

 

g. make the PIA and, if prepared, a summary publicly available on the website (consistent with executive branch policy on the release of information about systems for which funding is proposed) in the Federal Register or through other means; and h. protect the privacy of personal information collected in federal records and on federal web sites pursuant to all statutes relating to agency use, collection, and disclosure of such information.

 

5. RESPONSIBILITIES.

 

a. Deputy Assistant Secretary for Privacy and Treasury Records (DASPTR) shall:

 

1) establish policies, procedures, and standards to conduct PIAs and provide oversight for the implementation of Section 208 of the Act;

 

2) provide oversight and assist bureaus and offices to ensure that they comply with the guidelines for conducting PIAs;

 

3) review bureau and office PIAs, provide PIA training, and establish a process to conduct PIA compliance reviews;

 

4) coordinate the annual report to OMB on the Department's compliance with Section 208 of the Act;

 

5) disseminate additional policy appropriate to this subject and provide, as necessary, assistance to bureaus and offices in policy implementation; and

 

6) provide policy guidance and direction on privacy protection matters as they relate to the Privacy Act and the implementation of those portions of Section 208 of the E-Government Act relating to the protection of the privacy rights of individuals.

 

b. The Bureau Heads shall:

 

1) conduct privacy impact assessments for information systems and information collections before developing, or procuring such systems or initiating any new information collections containing either IIF from or about the public;

 

2) evaluate the measures for protecting privacy in IT systems that are acquired, developed, enhanced, maintained and terminated in accordance Treasury PIA guidance (additional guidance shall be defined in TD P 25-07, the PIA Manual);

 

3) make PIAs publicly available on the bureau public website, in the Federal Register, or by some other means;

 

4) ensure adequate participation in the PIA process from all pertinent functional areas, e.g., the IT Security Officer, Privacy Act Officer, the System Developer, the Business Owner;

 

5) conduct privacy impact assessment training and provide guidance to employees and contractors who are involved in conducting PIAs;

 

6) ensure that PIAs are submitted to the Office of the Chief Information Officer, as supporting documentation to the Exhibit 300s for IT investments;

 

7) designate appropriate bureau and office officials, who will be responsible for implementing Section 208 of the Act, serving as the principle contacts for IT and web matters, and serving as the reviewing official for PIAs; and

 

8) work with the bureau Privacy Act Officer and IT Security Officer who will provide critical review and analyses of privacy and security issues related to PIAs within their respective organizations.

 

6. PROCEDURES. Detailed guidelines shall be set forth in TD P 25-07, Privacy Impact Assessment Manual.

 

7. AUTHORITIES.

 

a. Consolidated Appropriations Act of 2005, Public Law 108-447, Division H, Section 522.

 

b. E-Government Act of 2002, Public Law 107-347, Section 208, and Title III, the Federal Information Security Management Act.

 

c. Clinger-Cohen Act, Public Law 104-106, Division E.

 

d. Paperwork Reduction Act of 1995, Public Law 104-13.

 

e. Privacy Act of 1974, Public Law 93-579, as amended.

 

f. Treasury Order 102-25, "Delegation of Authority Concerning Privacy and Civil Liberties."

 

8. REFERENCES.

 

a. OMB Circular A-123, “Management Accountability.”

 

b. OMB Circular A-130, "Management of Federal Information Resources."

 

c. TD 80-05, "Records and Information Management Program."

 

d. TD P 80-05, “Records and Information Management Manual.”

 

e. TD P 84-04, “Information System Life Cycle Manual.”

 

f. TD P 85-01, “Treasury Information Technology Security Program.”

 

g. OMB M-03-22, "OMB Guidance for Implementing the Privacy Provisions of the EGovernment Act of 2002."

 

9. OFFICE OF PRIMARY INTEREST. Office of the Deputy Assistant Secretary for Privacy and Treasury Records, Office of the Assistant Secretary for Management and Chief Financial Officer.

 

 

/S/

Peter B. McCarthy

Assistant Secretary for Management

and Chief Financial Officer