Privacy Threshold Analysis (PTA)

What is a PTA and when is it required?

The compliance process begins with a PTA, a required document that serves as the official determination by our office as to whether a Department program or system has privacy implications, and if additional privacy compliance documentation is required, such as a Privacy Impact Assessment (PIA) and System of Records Notice (SORN). The PTA is built into departmental processes for technology investments and security. PTAs expire and must be reviewed and re-certified every three years.

The purpose of a PTA is to:

• Identify programs and systems that are privacy-sensitive
• Demonstrate the inclusion of privacy considerations during the review of a program or system
• Provide a record of the program or system and its privacy requirements at the Department’s Privacy Office
• Demonstrate compliance with privacy laws and regulations

Drafting a PTA

The Department program manager is responsible for completing the PTA in close cooperation with the component privacy officer. Once the PTA is complete, the component privacy officer will submit the PTA to our office for review and determination of which privacy compliance documents must be completed.

To complete a PTA for a Department program or system, download the PTA template and follow the instructions

To obtain a Word version of the template, please e-mail pia@hq.dhs.gov

Privacy Impact Assessment (PIA)

Once our office reviews a PTA and determines that a PIA is required, the component program office will work collaboratively with the component privacy officer, component counsel, and our office to draft the PIA.

What is a PIA?

A PIA is a decision-making tool used to identify and mitigate privacy risks at the beginning of and throughout the development life cycle of a program or system. It helps the public understand what PII the Department is collecting, why it is being collected, and how it will be used, shared, accessed, and stored.

The PIA uses the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy.

When is a PIA required?

Generally, a PIA is required before a program or system containing PII becomes operational. The Privacy Policy Guidance Memorandum 2008-02 establishes the reasons for conducting a PIA, which include:

• When developing or procuring any new Department program or system that will handle or collect PII
• For budget submissions to the Office of Management and Budget (OMB) that affect PII
• With pilot tests that affect PII
• When developing program or system revisions that affect PII
• When issuing a new or updated rulemaking that involves the collection, use, and maintenance of PII

Drafting a PIA

If a PIA is required, the Department program manager works closely with the component privacy officer to complete the PIA, utilizing the guidance document listed below. Once completed, the PIA is sent to our office for review and approval by the Department’s Chief Privacy Officer.

The following guidance is provided by our office on how to write a PIA:

• Privacy Impact Assessment Guidance and Template

Approved PIAs are published on the Privacy Impact Assessment Web page unless they are classified.

To obtain a Word version of the template, please e-mail pia@hq.dhs.gov

System of Records Notice (SORN)

What is a System of Records?

A System of Records is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual.

What is a SORN?

A SORN is a formal notice to the public published in the Federal Register that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (routine uses), and how to access and correct any PII maintained by the Department.

When is a SORN required?

A SORN is required when the Department has a system of records as defined above. In some instances, the Department may have an existing SORN that covers a collection of systems or programs. During the PTA and PIA processes, our office, in coordination with the component privacy officer, will help determine whether a new SORN is required.

Drafting a SORN

If a SORN is required, the component should use the guidance and templates below to provide a draft to the component privacy offcer component counsel and eventually our office. All SORNs are approved by the Department’s Chief Privacy Officer prior to publication. They are sent to the OMB and to Congress for comment and then published in the Federal Register for thirty days to give the public notice and time to comment. A program or system may not become operational until the SORN has been published for thirty days.

The following guidance is provided by our office on how to write a SORN:

• System of Records Template
• Notice of Proposed Rule Making Template
• Final Rule Template

All SORNs published in the Federal Register can be found on the Department System of Records Notices Web page.

To obtain a Word version of the template, please e-mail pia@hq.dhs.gov

Privacy Act Statement (e)(3) Statement

What is a Privacy Act Statement and when is it required?

Pursuant to 5 U.S.C. §552a (e) (3), agencies are required to provide a Privacy Act Statement to individuals prior to the collection of PII that will be entered into a system of records. The purpose of a Privacy Act Statement is to:

• Identify how the Department will use the PII; and
• Provide transparency and notice to the person about whom PII is being collected.

Computer Matching Program

What is a computer matching program and when is it required?

A computer matching program is required pursuant to the Privacy Act for any computerized comparison of two or more automated systems of records, or a system of records with non-federal records, for the purpose of establishing or verifying eligibility or compliance as it relates to cash or in-kind assistance or payments under federal benefit programs.

Notices for approved computer matching programs are published in the Federal Register and can be found on the Computer Matching Programs Web page.

To obtain additional information, please e-mail pia@hq.dhs.gov.