Here is a summary of our privacy compliance process and documentation. In the left navigation you can search for Privacy Impact Assessments, System of Records Notices, and Computer Matching Agreements.
Privacy Threshold Analysis (PTA)
What is a PTA and when is it required?
The compliance process begins with a PTA, a required document that serves as the official determination by our office as to whether a Department program or system has privacy implications, and if additional privacy compliance documentation is required, such as a Privacy Impact Assessment (PIA) and System of Records Notice (SORN). The PTA is built into departmental processes for technology investments and security. PTAs expire and must be reviewed and re-certified every three years.
The purpose of a PTA is to:
- Identify programs and systems that are privacy-sensitive
- Demonstrate the inclusion of privacy considerations during the review of a program or system
- Provide a record of the program or system and its privacy requirements at the Department’s Privacy Office
- Demonstrate compliance with privacy laws and regulations
Drafting a PTA
A program manager is responsible for completing the PTA in close cooperation with the Component privacy officer. Once the PTA is complete, the Component privacy officer will submit the PTA to our office for review and determination of which privacy compliance documents must be completed.
The DHS Privacy Office has consolidated all previously issued PTA templates into three types: Standard (Programs and Information Technology), Information Sharing Agreements (ISA), and Information Collection/Forms (Forms). By conducting special compliance assessments based on the method of collection, the DHS Privacy Office is able to make a more precise privacy compliance determinations about information technology systems, programs, tools, technologies, rulemakings, information sharing agreements, pilot projects, information collections, etc., that involve PII or privacy sensitive technologies.
The information below will help you determine which type of PTA you should use.
1. Standard (Information Technology) PTA
The Standard PTA is the most common PTA, which will serve as the official determination by our office as to whether a Department program or IT system has privacy implications, and if additional privacy compliance documentation is required. Typically, you will use the Standard PTA.
2. Information Sharing Agreements (ISA-PTA)
The ISA-PTA is a specialized template for Information Sharing Agreements. Information Sharing Agreements, the primary vehicle used to exchange, receive and share information from external DHS parties, are arrangements, policies, standard operating procedures, practices, and understandings that are found in formal official documents such as Memorandums of Understanding, Memorandums of Agreement, and Letters of Intent. If you are entering into an Information Sharing Agreement in any form other than a Request for Information, please use this PTA template to conduct a privacy compliance assessment to document both the information that DHS receives, and the information that DHS provides to a third party.
3. Information Collections/Forms (Forms-PTA)
The Forms-PTA is a specialized template for Information Collections and Forms. This specialized PTA must accompany all Information Collections submitted as part of the Paperwork Reduction Act process (any instrument for collection (form, survey, questionnaire, etc.) from ten or more members of the public). Components may use this PTA to assess internal, Component-specific forms (not subject to the PRA) as well.
Privacy Impact Assessment (PIA)
What is a PIA and when is it required?
Once our office reviews a PTA and determines that a PIA is required, the Component program office will work collaboratively with the Component privacy officer, Component counsel, and our office to draft the PIA.
A PIA is a decision-making tool used to identify and mitigate privacy risks at the beginning of and throughout the development life cycle of a program or system. It helps the public understand what PII the Department is collecting, why it is being collected, and how it will be used, shared, accessed, secured and stored. The PIA uses the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy. Generally, a PIA is required before a program or system containing PII becomes operational.
- When developing or procuring any new Department program or system that will handle or collect PII
- For budget submissions to the Office of Management and Budget (OMB) that affect PII
- With pilot tests that affect PII
- When developing program or system revisions that affect PII
- When issuing a new or updated rulemaking that involves the collection, use, and maintenance of PII
Drafting a PIA
If a PIA is required, the Department program manager works closely with the Component privacy officer to complete the PIA, utilizing the guidance document listed below. Once completed, the PIA is sent to our office for review and approval by the Department’s Chief Privacy Officer.
The following guidance is provided by our office on how to write a PIA:
Approved PIAs are published on the Privacy Impact Assessment Web page unless they are classified.
System of Records Notice (SORN)
What is a System of Records?
A System of Records is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual.
What is a SORN and when is it required?
A SORN is a formal notice to the public published in the Federal Register that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (routine uses), and how to access and correct any PII maintained by the Department.
A SORN is required when the Department has a system of records as defined above. In some instances, the Department may have an existing SORN that covers a collection of systems or programs. During the PTA and PIA processes, our office, in coordination with the Component privacy officer, will help determine whether a new SORN is required.
Drafting a SORN
If a SORN is required, the Component should use the guidance and templates below to provide a draft to the Component privacy officer, Component counsel, and, eventually, our office. All SORNs are approved by the Department’s Chief Privacy Officer prior to publication. They are sent to OMB and to Congress for comment, and then published in the Federal Register for thirty days to give the public notice and time to comment. A program or system may not become operational until the SORN has been published for thirty days.
The following guidance is provided by our office on how to write a SORN:
All SORNs published in the Federal Register can be found on the Department System of Records Notices Web page.
Privacy Act Statement (e)(3) Statement
What is a Privacy Act Statement and when is it required?
Pursuant to 5 U.S.C. §552a (e) (3), agencies are required to provide a Privacy Act Statement to individuals prior to the collection of PII that will be entered into a system of records. The purpose of a Privacy Act Statement is to:
- Identify how the Department will use the PII; and
- Provide transparency and notice to the person about whom PII is being collected.
Computer Matching Program
What is a computer matching program and when is it required?
A computer matching program is required pursuant to the Privacy Act for any computerized comparison of two or more automated systems of records, or a system of records with non-federal records, for the purpose of establishing or verifying eligibility or compliance as it relates to cash or in-kind assistance or payments under federal benefit programs.
Notices for approved computer matching programs are published in the Federal Register and can be found on the Computer Matching Programs Web page.