The Privacy Office assesses the privacy risk of DHS information technology (IT) systems, technologies, rulemakings, programs, pilot projects, information collections, or forms (collectively referred to as "systems and programs"), and develops mitigation strategies by reviewing and approving all DHS privacy compliance documentation.
The privacy compliance process is an ongoing cycle with four key parts to ensure appropriate oversight: Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), System of Records Notice (SORN), and periodic review. Each part has a distinct function in implementing privacy policy at DHS, and together they enhance the oversight of and transparency into Department activities and demonstrate accountability to the public.
The first step in the process for DHS staff seeking to implement or update a system or program is to complete a PTA. The DHS Privacy Office reviews the PTA to determine if the system or program is privacy-sensitive and requires additional privacy compliance documentation such as a PIA or SORN. PTAs expire and must be reviewed and re-certified every three years or when changes/updates occur. In addition, the DHS Privacy Office will also determine if a Privacy Act Statement or Privacy Notice is required, which provide transparency and notice to the person from whom Personally Identifiable Information (PII) is being collected.
Required by the E-Government Act of 2002, the Homeland Security Act of 2002, or DHS Privacy policy, the PIA is a decision tool used by DHS to identify and mitigate privacy risks of systems and programs, and inform the public (1) what PII DHS is collecting; (2) why the PII is being collected; and (3) how the PII will be collected, used, accessed, shared, safeguarded, and stored. PIAs assess risk by applying the universally recognized Fair Information Practice Principles to Department systems and programs. If a PIA is required, the program manager will work with the Component Privacy Office to write the PIA for submission to the DHS Privacy Office for review and approval by the Chief Privacy Officer.
The Privacy Act of 1974 requires that federal agencies issue a SORN to provide the public notice regarding PII collected in a system of records. SORNs explain how the information is used, retained, and may be accessed or corrected, and whether certain portions of the system are subject to Privacy Act exemptions for law enforcement, national security, or other reasons. If a SORN is required, the program manager will work with the Component Privacy Office and Component counsel to write the SORN for submission to the DHS Privacy Office for review and approval by the Chief Privacy Officer.
Once the PTA, PIA, and SORN are completed, they are reviewed periodically by the DHS Privacy Office (timing varies by document type and date approved). For systems and programs that require only PTAs and PIAs, the process begins again three years after the document is complete or when there is an update/change to the system or program, whichever comes first. The process begins with either the update or submission of a new PTA. Office of Management and Budget guidance requires that SORNs be reviewed on a continual basis.
- In addition, the Privacy Compliance Review PCR is both the process followed and the final document designed to provide a constructive mechanism to improve a program’s ability to comply with existing privacy policy and compliance documentation, including PIAs, SORNs, formal agreements, such as Memoranda of Understanding or Memoranda of Agreement, or at the discretion of the Chief Privacy Officer.