Sample Checklist for Conducting Privacy Act Assessment/Staff Visits

By DON CIO Privacy Team - Published, September 17, 2010

The following checklist is provided for use by Privacy Act coordinators and should be tailored to a command's specific needs.

Management

• Has the head of the activity designated a Privacy Act (PA) coordinator to serve as the principal point of contact on privacy matters and be responsible for effective implementation and compliance? Is this designation in writing? Are these duties reflected in his/her position description?
• Has an effective PA program been established and maintained through all echelons, with adequate funding and sufficiently experienced staff at all levels, designated to ensure effective compliance? Is there a listing of the PA points of contacts at the lower echelons?
• Is the designated PA coordinator responsible within his/her jurisdiction for monitoring, inspecting and reporting on the status of the activity's PA program at all echelons? Has there been a recent review of one of those activities? If so, is there a report of the findings?
• Are responsible PA coordinators at various echelons adequately staffed and trained to accomplish their responsibilities?
• Has the command adequately implemented SECNAVINST 5211.5 series by publishing internal command procedural rules?

• Are all command echelons knowledgeable of the rules of conduct for persons involved in the design, development, operation or maintenance of any system of records? Is there a listing of those systems of records that are maintained and a listing of systems managers responsible for maintaining those systems?
• What training has the PA coordinator received? What orientation training have command personnel received concerning their rights and responsibilities under the PA? What training has systems managers, denial authorities, and senior management personnel received who are responsible for systems of records? What training have specialized personnel (i.e., financial, medical, law enforcement, records management, etc.) received who are responsible for processing personal information on a daily basis? How often are these individuals being trained?
• Are there established activity procedures in place to ensure effective compliance under section (m) of the Privacy Act by contractors?
• What guidance is the naval activity following to determine how long PA records are to be maintained?
• Where is the PA program located? Is this the most feasible place? Is legal support available?

• Does the activity only maintain information about an individual that is relevant, timely, necessary and complete to accomplish a purpose of the activity required by statute or by Executive Order?
• Is the information collected to the greatest extent practicable directly from the individual when the information may result in adverse determinations about an individual's right, benefit and privileges under Federal programs?
• Is the individual advised that E.O. 9397 is the authority for requesting his/her Social Security number? When requesting other personal information from an individual, is he/she informed through a Privacy Act Statement (PAS), the authority for requesting the information, the purposes for which the information was collected, the routine uses/users for the information, and whether providing the information is voluntary or mandatory and the consequences for not disclosing it? Are any rights, benefits or privileges being denied because the individual refuses to disclose his/her SSN or other items of personal information being requested? Ask for sample PAS's currently being used.
• Are appropriate administrative, technical and physical safeguards established to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity that could result in substantial harm, embarrassment, inconvenience or unfairness to any individual on whom information is being maintained?

• Is the PA coordinator aware that the Navy's PA system of records notices may be found on the DON CIO website? Has the PA coordinator reviewed the listing of systems of records and identified those used by his/her command?
• Are procedures in place to ensure that no record keeping function retrievable by a personal identifier is being operated without first being reported and published in the Federal Register? Does the PA coordinator know where to seek assistance when an unreported system of records has surfaced?
• In actual practice, are the routine uses made of records from systems of records in conformity with the listed routine use element of the published systems notice?
• Are the routine uses in the notice compatible with the purpose for which the record was collected?
• Compare the elements of the published systems notice with the actual practices/procedures in effect. Do they conform?

• Are PAS's given for all forms, questionnaires, survey sheets, reports, etc., that solicit personal information directly from the individual? Review samples.
• Is the PAS on the form accurate and contain information regarding Authority, Purpose, Routine Uses and Disclosure?

• Are requests entered into a tracking system to ensure they are responded to within 30 days? Review copies of the responses made to Privacy Act requests the activity has processed.

• Are amendment requests responded to within 30 days of receipt?
• Are previous recipients of the records notified when a requested amendment is honored?
• Does the activity's denial authority make a review of the refusal within 30 days after receipt of the individual's appeal?
• If a denial is made, is the individual advised of his/her right to submit a statement of disagreement that will be provided to each recipient of the record?

• Does the systems manager/PA coordinator understand how to adjudicate "need to know" requests within the DON/DoD?
• For routine use disclosures, are accurate accountings of all disclosures made from an individual's record being maintained? Are they being retained for five years or the life of the record, whichever is later? Have a sampling of disclosure accountings sheets been reviewed?

• Is the PA Coordinator aware that the PA report was cancelled in 2000?

TAGS: IA, IDManagement, Privacy