Privacy Impact Assessment Template
Total Page:16
File Type:pdf, Size:1020Kb
Privacy Impact Assessment Template
Information Sharing System(s) Assessed: System Name
Purpose
Assessment Date:
Organizations Involved:
Assessors:
Project Manager:
Final PIA Submitted to:
Date Submitted:
Approved By:
Approval Date:
Guide to Conducting Privacy Impact Assessments: Privacy Impact Assessment Template 1 Instructions There are 43 questions in eight PIA Your tolerance for that risk Categories. Questions are coded by color, Avoidance: Avoidance is often used for depending on who should respond (see risks that have the capacity for negative Legend). impact, but have little known recourse. In privacy projects, a decision to avoid risks often means a decision not to let your The Question column poses a question for agency put itself in the situation where it response or action, and the Rationale could incur the risk. Therefore, your decision column provides further detail and in some would also be to avoid the cause of the risk. cases, instruction. Assume: The decision to assume a risk Respond in the Answer column as means accepting the risk as-is, and not appropriate (Yes, No, N/A, or a narrative implementing any policies or procedures to response). Attach materials, if needed. lessen it. This is often the decision in cases where the risk is so minimal and of limited In the Assessment of Risk column, make a impact should it occur that the cost of judgment as to the Likelihood, Severity, and implementing a mechanism to minimize or Risk Tolerance Level of the privacy risk.1 reduce it would be far greater than the Use these guidelines: agency’s concern.
Likelihood that risk will occur Mitigate: This is the most common decision Remote: The risk probably will not occur to make for identified risks: to implement because the risk would be difficult to realize, policies, procedures, and other controls to or there are solid means in place to limit the limit the risk to an acceptable level. risk appropriately. Transfer: Transfer the responsibility for a Possible: The risk has a chance of system or the risk itself to another party that occurring, but it may be difficult or there are can better accept and deal with the risk policies or procedures in place to help avoid and/or has the resources necessary to the risk. properly mitigate the risk.
Likely: Due to conditions and capabilities, In the Correction Action/Recommendation the risk is likely to occur. column, record the corrective action or recommendation that your initiative will take Severity of identified risk to mitigate the identified risk. Low: The risk is manageable through planning and action, and the impacts In the Priority column, record the priority generally are minimal. level of the risk, either 1 (high priority), 2 (moderate priority) or 3 (lowest priority). Medium: The risk will be mitigated through planning and action, although if it occurs, it will still have some impact on some of the Legend more important areas of concern. Questions are coded by the color of the person(s) most likely to be able to respond. High: The risk will have serious impacts and without extensive planning and action, its System Administrator consequences would be severe. Data Privacy Officer or Legal Counsel
Records Staff
Technical/System Security Staff
1 For more about risk assessment, see Law Enforcement Tech Guide for Information Technology Security: How to Assess Risk and Establish Effective Policies, prepared by SEARCH and published by the Office of Community Oriented Policing Services, U.S. Department of Justice. Available at http://www.search.org/programs/safety/tech-guide.asp.
Guide to Conducting Privacy Impact Assessments: Privacy Impact Assessment Template 2 PIA Category 1: Purpose Specification Corrective Action/ Priority Code Question Rationale Answer Assessment of Risk Recommendation [1,2,3] 1. Is there a written purpose A purpose statement helps an agency statement for collecting decide what data it needs to collect and personally identifiable may be required by state law. information?
2. Is the purpose statement The purpose for information collection posted or otherwise easily should be stated no later than at data accessible to the public collection. Subsequent data use should when information is be limited to stated or compatible collected? purposes. Making your purpose statement available to the public provides greater openness.
3. Do you have statutory State and/or federal laws may limit what authority for collecting this data can be collected. data?
If so, include citation(s). 4. Describe the relationship The amount and type of data needed to between collected data and achieve a program’s purpose should be the system’s purposes so analyzed. extra data are not collected. 5. Will there be a periodic Privacy is promoted when government review of collected data to agencies routinely review data and make sure they are still storage to ensure that excessive data needed? are not collected.
If so, include the review schedule. 6. Is the written purpose Written purpose statements should be statement periodically reviewed periodically to ensure they reviewed and updated? reflect the current information-sharing environment. PIA Category 2: Collection Specification Corrective Action/ Priority Code Question Rationale Answer Assessment of Risk Recommendation [1,2,3]
Guide to Conducting Privacy Impact Assessments 3 7. Is the collection of personal Limiting the collection of personal information limited to the information minimizes the possible use system’s identifiable of inaccurate, incomplete or outdated purpose? information. It also reduces the information that can be compromised should a breach occur. 8. Is personal information Information should be obtained in a way obtained by lawful and fair that is not inappropriately intrusive. The means? provider should not be misled or deceived about why it is collected. 9. Where appropriate, is Consent can be expressed or implied, personal information but it must be unequivocal. Implied obtained with the knowledge consent may be inferred from the action or consent of the data or inaction of the information provider. subject?
10. Are collected data elements Data classification determines who has classified to limit public or access and for what purposes. data-subject access?
If so, describe how.
11. Are data collected on Generally, state and federal laws juveniles? provide special rules for juvenile data. PIA Category 3: Data Quality Corrective Action/ Priority Code Question Rationale Answer Assessment of Risk Recommendation [1,2,3] 12. Are there business While this may not be a statutory practices/ procedures to requirement in your state, you should verify data are accurate, consider adopting this concept as a complete, and current? best practice.
If yes, describe procedures. 13. Is the system the source of If not, you may need to consider how to the data? ensure data accuracy and completeness. 14. Is the data collected directly Collecting data directly from a data from the individual? subject might increase data accuracy. 15. Do procedures for data Most states require a records retention management detail retention schedule for data maintenance.
Guide to Conducting Privacy Impact Assessments 4 and disposal issues? 16. Do you have a procedure for Agencies must make reasonable efforts tracking: to minimize the possibility of using Modification inaccurate, incomplete, or outdated requests? information. This should include Determinations of effective processing of modification requests to modify? requests so a data subject’s record Modifications includes the result of the request along based on the requests? with the information consulted in Source used to response to the request, and the date modify the information? that any modification occurred. When the last modification occurred? 17. Is there a procedure to Agencies may want to consider provide notice of correction establishing logs and audit trails to or modification to: identify justice system users and third Subsequent justice parties that received personal system users? information. This would allow agencies Third parties (secondary to notify down-the-line users when data users)? are modified from those originally transmitted. 18. Where access by the data When accuracy cannot be verified by subject is not appropriate, the data subject because of sensitivity are there other methods to (e.g., intelligence data), agencies may ensure that information is consider other methods to ensure data accurate and up to date? quality and timeliness, such as examining the reliability of the If yes, what are the other contributor, matching the data against methods? other reliable sources, seeking verification from third parties, and other approaches. PIA Category 4: Use Limitation Corrective Action/ Priority Code Question Rationale Answer Assessment of Risk Recommendation [1,2,3]
19. Is use or disclosure of Personal data must be collected for personal information limited specified, explicit, and legitimate to the purposes articulated purposes and not used in a way that is in Principle 1? incompatible with those purposes.
20. Is the disclosure of Disclosure can be limited by state or
Guide to Conducting Privacy Impact Assessments 5 personally identifiable data federal law or by agency policies. In limited by state or federal answering this question, agencies law or policy? should address methods limiting data disclosure.
21. Are secondary uses limited Reasonable steps should be taken to to those: inform the provider how the information With the data subject’s will be used, and that the information consent? may be used beyond the purposes for By the authority of law? which it was collected. His or her Pursuant to a public consent may or may not be sought in access policy? these instances.
22. By law, can outside entities Unless state or federal law authorizes access data held by your data sharing, you may need the system? subject’s consent or a court order before sharing data with outside If so, list the outside entities, agencies or third parties. Your state law their authorized purposes may also permit data sharing through and any statute citations. contract or memorandum of understanding.
23. Is access to sensitive data Employee/contractor access can be limited to staff/contractors limited by policies and procedures or that need the data for their system design. work?
If so, describe how. PIA Category 5: Security Safeguards Corrective Action/ Priority Code Question Rationale Answer Assessment of Risk Recommendation [1,2,3]
24. Does reasonable technical Reasonable security is crucial. A security protect data against “reasonableness” standard reflects that unauthorized access or no security is foolproof, and that what is disclosure? reasonable will change as technology improves. Security is also based on the data’s sensitivity/ classification.
25. Is there reasonable physical Technical security receives more security in place? attention, but physical security is also important.
26. Have user-access profiles User access should be limited to the been assigned on a need-to- data that each employee needs for
Guide to Conducting Privacy Impact Assessments 6 know basis? official duties.
27. Do controls and procedures Read-only access can control who exist for the authority to add, alters system data. change or delete personally identifiable data?
28. Has staff been trained to Regular training will help staff keep protect personal abreast of technical, legal, and other information? critical issues.
29. Are there plans and Agencies should consider plans to mechanisms in place to identify security breaches or identify: inappropriate disclosures of personal Security breaches? information. Mechanisms should be Disclosure of personal established to quickly notify affected information in error? parties so they can mitigate collateral damage.
30. Does security include Audit trails allow the investigation of auditing to track system use inappropriate access or use. (e.g., by whom and when data are accessed or updated)? PIA Category 6: Openness Principle Corrective Action/ Priority Code Question Rationale Answer Assessment of Risk Recommendation [1,2,3]
31. Is contact information for Source systems are systems from your agency’s privacy officer which you receive data. It is a good and for the privacy officers business practice to know not only your for any source systems own privacy officer, but the officers for accessible by the public? source systems.
Attach a list of the names/contact information.
32. Do you have written policies Agencies should adopt general and procedures that explain openness policies about practices and how the public and data procedures for the use and protection of subjects can access data? personal information. Agencies should make these policies available with reasonable effort upon request.
33. Does your agency require a State law may require that a data
Guide to Conducting Privacy Impact Assessments 7 privacy notice before data subject be given a privacy notice on are collected? how collected data will be used and shared.
34. Does your agency require Agencies should make their personal notice to affected individuals information management policies when data are requested, readily available to information sold or released to third providers with reasonable effort. A third parties? party receiving information must also adhere to responsible protection requirements. PIA Category 7: Individual Participation Corrective Action/ Priority Code Question Rationale Answer Assessment of Risk Recommendation [1,2,3]
35. Can an individual, or an Record subjects should be able to individual’s agent, obtain request access to their personal data at confirmation of whether the reasonable intervals without excessive data collector has delay or expense. Information should be information relating to him or in intelligible form and include any her? available information about the source.
36. Do procedures explain a Information shown by the data subject data subject’s right to to be inaccurate, incomplete, out of challenge data accuracy date, or irrelevant should be revised, and/or completeness? modified, corrected, or removed.
37. Are these procedures Policies and procedures providing posted or readily available? authority to access personal information for review should be provided with reasonable effort to the subject.
38. Are there procedures to flag Agencies may want to flag challenged challenged data and to post data and to post data provided by the additional data related to the challenger to alert subscribers that data challenge? is being challenged and to provide them with the latest and most complete information.
39. Can you resolve data Laws may allow data subjects to challenges when data challenge data wherever it is originated with another maintained, even if the data did not agency? originate with the agency that is being challenged. Coordinating data challenges with the agency where the
Guide to Conducting Privacy Impact Assessments 8 data originated would be the most effective way to reach a decision about data from another official source. Also, assisting data subjects in locating inaccurate or incomplete data wherever it is maintained is a valuable public service and a best practice.
40. Can you verify data subjects' Many jurisdictions require subjects to identities prior to allowing submit fingerprints to verify that they are them access to data? the subjects of the information they seek. If yes, describe measures. PIA Category 8: Accountability Corrective Action/ Priority Code Question Rationale Answer Assessment of Risk Recommendation [1,2,3] 41. Does your agency have an An individual should be designated to individual responsible for monitor compliance with these laws and complying with records policies, and to establish procedures for management laws and receiving and resolving complaints. policies?
If so, provide name/contact.
42. Are there penalties for Agencies may consider internal unauthorized use of data? penalties up to and including termination and prosecution for If yes, describe the improper and/or unauthorized use of penalties. personal information. Outside agencies may lose access to such information for similar improper and/or unauthorized use.
43. Can you easily provide Systems that contain some public data access to all of the public should be designed to allow easy data when requested? production of the data for the public. Your state law may require it.
Guide to Conducting Privacy Impact Assessments 9 Guide to Conducting Privacy Impact Assessments 10