The Privacy Office assesses the privacy risk of DHS information technology (IT) systems, technologies, rulemakings, programs, pilot projects, information collections, or forms (collectively referred to as "systems and programs"), and develops mitigation strategies by reviewing and approving all DHS privacy compliance documentation.
The first step in the process for DHS staff seeking to implement or update a system or program is to complete a PTA. The DHS Privacy Office reviews the PTA to determine if the system or program is privacy-sensitive and requires additional privacy compliance documentation such as a PIA or SORN. PTAs expire and must be reviewed and re-certified every three years or when changes/updates occur. In addition, the DHS Privacy Office will also determine if a Privacy Act Statement or Privacy Notice is required, which provide transparency and notice to the person from whom Personally Identifiable Information (PII) is being collected.
The Privacy Act of 1974 requires that federal agencies issue a SORN to provide the public notice regarding PII collected in a system of records. SORNs explain how the information is used, retained, and may be accessed or corrected, and whether certain portions of the system are subject to Privacy Act exemptions for law enforcement, national security, or other reasons. If a SORN is required, the program manager will work with the Component Privacy Office and Component counsel to write the SORN for submission to the DHS Privacy Office for review and approval by the Chief Privacy Officer.
Once the PTA, PIA, and SORN are completed, they are reviewed periodically by the DHS Privacy Office (timing varies by document type and date approved). For systems and programs that require only PTAs and PIAs, the process begins again three years after the document is complete or when there is an update/change to the system or program, whichever comes first. The process begins with either the update or submission of a new PTA. Office of Management and Budget guidance requires that SORNs be reviewed on a continual basis.