Before we discuss your role in protecting privacy at DHS, let me tell you about the framework we use to assess privacy risks associated with any new technology at DHS that collects PII.
We use the DHS Fair Information Practice Principles or FIPPs as our framework for identifying and mitigating privacy risks. When new systems are developed or updated to collect PII, privacy staff in the Components meet with the project manager early in the design process to review the FIPPs as part of our compliance documentation process to:
- Assess the need for, and scope of, any collection of PII, and…
- Embed privacy protections in the Information Technology system at the front-end.
We ask the system development team questions like:
- Is the PII you plan to collect relevant and necessary?, and…
- What is your purpose and authority to collect this information?
If you are a program manager or system owner, it is important to understand your responsibilities for completing privacy compliance documentation before your system becomes operational. Depending on the nature of your system or program, privacy compliance documentation such as a Privacy Impact Assessment, required by the E-Government Act of 2002, and/or a System of Records Notice, required by the Privacy Act of 1974, may be required.
Although this course will not get into the details of how to prepare these documents, it is important to recognize that privacy compliance gaps can put your system or program at risk. For example, a recent Government Accountability Office report recommended that the Chief Privacy Officer investigate whether a system should be suspended until privacy compliance documentation could be completed. We encourage program managers and system owners to consult with their Component Privacy Officer or Privacy Point of Contact early in the Systems Development Lifecycle to ensure that privacy requirements are addressed.