Office of the Chief Information Officer &
High Performance Computing and Communications

NOAA Privacy Web page

NOAA Privacy Team

1. Rob Swisher, Director, Governance and Portfolio Division, robert.swisher@noaa.gov, 301-628-5755
2. Mark Graff, Bureau Chief Privacy Officer, mark.graff@noaa.gov, 301-628-5658
3. Sarah Brabson, Bureau Privacy Act Officer (and initial contact for PIA and PTA review), sarah.brabson@noaa.gov, 301- 628-5751
4. Eric Williams, Bureau Privacy Breach Lead, eric.d.williams@noaa.gov, 301-713-9111

Federal agencies are required by law to protect information about individuals (members of the public, Federal employees and contractors) which they may collect, disseminate and/or store.

The Privacy Act of 1974 (5 USC 552a) regulates the Federal Government's collection, use, maintenance, and dissemination of information about individuals. The Act establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

Personally Identifiable Information (PII) and Business Indentifiable Information (BII)

The term “personally identifiable information” refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as gender, date and place of birth, mother’s maiden name, etc. Name and contact information are PII.

Sensitive PII: (from OMB M-07-16, below): Using a best judgment standard, the sensitivity of certain terms, such as personally identifiable information, can be determined in context. For example, an office directory contains personally identifiable information (name, phone number, etc.). In this context the information probably would not be considered sensitive; however, the same information in a database of patients at a clinic which treats contagious disease probably would be considered sensitive information. PII that is always considered sensitive includes the social security number and any financially-related numbers such as credit card numbers and checking accounts.

The Department of Commerce (DOC) also requires protection of Business identifiable information (BII) :BII consists of information that is defined in the Freedom of Information Act (FOIA) as "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential." (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. "Commercial" is not confined to records that reveal basic commercial operations but includes any records [or information] in which the submitter has a commercial interest and can include information submitted by a nonprofit entity.

Here is an overview of the same information about PII and BII in a brochure published by DOC's Privacy Program in 2015.

Here is the NOAA Data Loss Prevention Plan, signed by Zach Goldstein on August 30, 2016. The related DOC memorandum is here.

Privacy-Related Statutes and Memoranda

DOC and NOAA Privacy Control Allocations and Artifacts -basic information regarding privacy controls assessment.

NOAA Privacy Control Allocations and Implementation Statements (approved by NOAA Chief Privacy Officer but not yet reviewed by DOC Privacy Officer)

PIA template with cross-references to Privacy Controls - not for use in writing PIAs, but for auditors, as a tool for reviewing implementation of privacy controls

Privacy Threshold Analysis

See the Privacy Threshold Analysis (PTA) template.

First, ensure that a system description is included; the recommendation is to use the one in CSAM.

Then, follow the instructions to determine if a PIA is needed. NOTE: the current PTA template states that not all questions need to be answered, if the answer to Question 1 indicates a PIA is not needed. However, we request that you answer all questions, to have a clear record of whether the system has PII or BII and from whom it is collected. Also, BEFORE collecting the required silgnatures on the PTA, please send to Sarah. Brabson@noaa.gov the Word version for review. Signatures: as with the PIA, no co-AO signature is needed.

Privacy Impact Assessments

Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new technology(e.g. an electronic database) involving the collection, maintenance or dissemination of personally identifiable information or that make substantial changes to existing technology for managing information in identifiable form. The Office of Management and Budget (OMB) ensures that PIAs necessitated under the E-Government Act are completed by requiring them as part of the annual budget process.

A PIA is an analysis of how personally identifiable information is collected, stored, protected, shared and managed. “Personally identifiable information” (PII) is defined as information in a system or online collection that directly or indirectly identifies an individual whether the individual is a U.S. Citizen, Legal Permanent Resident, or a visitor to the U.S. Please refer to the NOAA PIA Guidance and template for basic instructions, as well as additional DOC guidance for new questions in the 2015 PIA template. Please contact Sarah Brabson, NOAA OCIO Privacy Coordinator, (301) 628-5751, or Sarah.Brabson@noaa.gov foradditional guidance. OMB's Guidance for Implementing Section 208 also provides background information. NOTE: Please do not convert the PIA document to pdf, only the signature page, so that reviewers may edit and comment easily.

DOC Memo of November 18, 2014, citing M14-04, and stating policy that the NIST 800-53 Rev 4 Privacy Controls must be implemented.

Prvacy Act System of Record Notices (SORNs)

Any system of records as defined in section (a)(5) of the Privacy Act (“ . . .a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual”) and noted in a System of Records Notice (SORN) in the FEDERAL REGISTER either by the Department of Commerce or by another Federal agency. Each PIA must be covered by at least one SORN.

Pkease go here for a listing of current NOAA SORNs and a link to DOC SORNs.

Related Requirement which MAY apply:

The collection of information also may require approval by OMB under the Paperwork Reduction Act. For more information on Paperwork Reduction Act (PRA) requirements, please go to the Paperwork Reduction Act Home Page or contact Sarah Brabson (who is also the NOAA PRA Clearance Officer).

Approved NOAA PIAs:

NOAA Cyber Security Center (NOAA0100) - approved 10/7/2016

NOAA Web Operations Center (NOAA0201) - approved 1/9/2017

NOAA Information Technology Center (NOAA1101), approved 5/25/16

NOAA Corporate Services Local Area Network (LAN) (NOAA1200) - approved 12/15/2014

NOAA Everbridge Mass Notification System (EMNS) (NOAA0900) - approved 4/4/2014

NOAA Office of Marine and Aviation Operations Ship Fleet Spport System - approved 10/21/2016

NOAA NMFS Permits Systems - approved 2/3/2010

NOAA NMFS West Coast Region Local Area Network (NOAA4500) - approved 12/5/2016

NOAA NMFS Seattle Local Area Network (LAN) (NOAA4600) - approved 10/5/2015

NOAA NMFS Greater Atlantic Region Office Network (NOAA4100) - approved 7/26/2016

NOAA NMFS Southeast Fisheries Science Center Network (NOAA4400) - approved 6/21/2016