Office of the Chief Information Officer &
High Performance Computing and Communications
NOAA Privacy Web page
NOAA Privacy Team
1. Rob Swisher, Director, Governance and Portfolio Division, email@example.com, 301-628-5755
2. Mark Graff, Chief Privacy Officer, firstname.lastname@example.org, 301-628-5658
3. Sarah Brabson, Privacy Act Officer (and initial contact for PIA and PTA review), email@example.com, 301- 628-5751
4. Eric Williams, Privacy Breach Lead, firstname.lastname@example.org, 301-713-9111
Federal agencies are required by law to protect information about individuals (members of the public, Federal employees and contractors) which they may collect, disseminate and/or store.
The Privacy Act of 1974 (5 USC 552a) regulates the Federal Government's collection, use, maintenance, and dissemination of information about individuals. The Act establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.
Personally Identifiable Information (PII) and Business Indentifiable Information (BII)
The term “personally identifiable information” refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as gender, date and place of birth, mother’s maiden name, etc. Name and contact information are PII.
Sensitive PII: (from OMB M-07-16, below): Using a best judgment standard, the sensitivity of certain terms, such as personally identifiable information, can be determined in context. For example, an office directory contains personally identifiable information (name, phone number, etc.). In this context the information probably would not be considered sensitive; however, the same information in a database of patients at a clinic which treats contagious disease probably would be considered sensitive information. PII that is always considered sensitive includes the social security number and any financially-related numbers such as credit card numbers and checking accounts.
The Department of Commerce (DOC) also requires protection of Business identifiable information (BII) :BII consists of information that is defined in the Freedom of Information Act (FOIA) as "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential." (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. "Commercial" is not confined to records that reveal basic commercial operations but includes any records [or information] in which the submitter has a commercial interest and can include information submitted by a nonprofit entity.
Here is an overview of the same information about PII and BII in a brochure published by DOC's Privacy Program in 2015.
Here is the NOAA Data Loss Prevention Plan, signed by Zach Goldstein on August 30, 2016.
DOC and NOAA Privacy Control Allocations and Artifacts -basic information regarding privacy controls assessment.
NOAA Privacy Control Allocations and Implementation Statements (approved by NOAA Chief Privacy Officer but not yet reviewed by DOC Privacy Officer)
PIA template with cross-references to Privacy Controls - not for use in writing PIAs, but for auditors, as a tool for reviewing implementation of privacy controls
Privacy Threshold Analysis
First, ensure that a system description is included; the recommendation is to use the one in CSAM.
Then, follow the instructions to determine if a PIA is needed. NOTE: the current PTA template states that not all questions need to be answered, if the answer to Question 1 indicates a PIA is not needed. However, we request that you answer all questions, to have a clear record of whether the system has PII or BII and from whom it is collected. Also, BEFORE collecting the required silgnatures on the PTA, please send to Sarah. Brabson@noaa.gov the Word version for review. Signatures: as with the PIA, no co-AO signature is needed.
Privacy Impact Assessments
Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new technology(e.g. an electronic database) involving the collection, maintenance or dissemination of personally identifiable information or that make substantial changes to existing technology for managing information in identifiable form. The Office of Management and Budget (OMB) ensures that PIAs necessitated under the E-Government Act are completed by requiring them as part of the annual budget process.
A PIA is an analysis of how personally identifiable information is collected, stored, protected, shared and managed. “Personally identifiable information” (PII) is defined as information in a system or online collection that directly or indirectly identifies an individual whether the individual is a U.S. Citizen, Legal Permanent Resident, or a visitor to the U.S. Please refer to the NOAA PIA Guidance and template for basic instructions, as well as additional DOC guidance for new questions in the 2015 PIA template. Please contact Sarah Brabson, NOAA OCIO Privacy Coordinator, (301) 628-5751, or Sarah.Brabson@noaa.gov foradditional guidance. OMB's Guidance for Implementing Section 208 also provides background information. NOTE: Please do not convert the PIA document to pdf, only the signature page, so that reviewers may edit and comment easily.
DOC Memo of November 18, 2014, citing M14-04, and stating policy that the NIST 800-53 Rev 4 Privacy Controls must be implemented.
Prvacy Act System of Record Notices (SORNs)
Any system of records as defined in section (a)(5) of the Privacy Act (“ . . .a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual”) and noted in a System of Records Notice (SORN) in the FEDERAL REGISTER either by the Department of Commerce or by another Federal agency. Each PIA must be covered by at least one SORN.
Pkease go here for a listing of current NOAA SORNs and a link to DOC SORNs.
Related Requirement which MAY apply:
The collection of information also may require approval by OMB under the Paperwork Reduction Act. For more information on Paperwork Reduction Act (PRA) requirements, please go to the Paperwork Reduction Act Home Page or contact Sarah Brabson (who is also the NOAA PRA Clearance Officer).
Approved NOAA PIAs:
NOAA Cyber Security Center (NOAA0100) - approved 10/7/2016
NOAA Web Operations Center (NOAA0201) - approved 1/9/2017
NOAA Information Technology Center (NOAA1101), approved 5/25/16
NOAA Corporate Services Local Area Network (LAN) (NOAA1200) - approved 12/15/2014
NOAA Everbridge Mass Notification System (EMNS) (NOAA0900) - approved 4/4/2014
NOAA Office of Marine and Aviation Operations Ship Fleet Spport System - approved 10/21/2016
NOAA NMFS Permits Systems - approved 2/3/2010
NOAA NMFS West Coast Region Local Area Network (NOAA4500) - approved 12/5/2016
NOAA NMFS Seattle Local Area Network (LAN) (NOAA4600) - approved 10/5/2015
NOAA NMFS Greater Atlantic Region Office Network (NOAA4100) - approved 7/26/2016
NOAA NMFS Southeast Fisheries Science Center Network (NOAA4400) - approved 6/21/2016
NOAA NMFS Pacific Islands Region Local Area Network (NOAA4920) - approved 10/19/2016
NOAA NMFS Southwest Fisheries Science Center (NOAA4930) - approved 2/4/2016
NOAA NMFS Pacific Islands Fisheries Science Center Network (NOAA4960) - approved 9/30/2016
NOAA NMFS Science and Technology Division (NOAA4020) - approved 7/25/2016
NOAA Data Collection System (DCS) (NOAA5004) - approved 9/23/2016
NOAA National Climatic Data Center Local Area Network (LAN) (NOAA5009) - approved 2/11/2015
NESDIS National Oceanographic Data Center (NOAA5010)- approved 9/6/2016
NOAA Data Archive Management and User System (NOAA5011) - approved 8/11/2016
NESDIS Headquarters Information System (NOAA5006) - approved 12/1/2014
NESDIS Fairbanks Command and Data Acquisition Station Administrative Local Area Network (LAN) (NOAA5008) - approved 6/9/2014
NESDIS Center for Satellite Applications and Research (STAR) LAN (NOAA5018) - approved 7/27/2015
NOAA Satellite Operations Facilities Administrative LAN (NOAA5044) - approved 10-21-16
NESDIS Environmental Satellite Processing Center (ESPC) (NOAA5045) - approved 6/27/2013
NOAA Search and Rescue-Aided Satellite Tracking (SARSAT) 406 MHz Beacon Registration Database (NOAA5023)- approved 9/2/2014
NOAA Wallops Command and Data Acquisition Station Administrative LAN (NOAA5032) - approved 6/6/2016
NOAA Comprehensive Large-Array Stewardship System (CLASS) (NOAA5040)- approved 7/26/2016
National Ocean Service Enterprise Information System (NOAA6001) - approved 10/27/2014
National Ocean Service - National Center for Coastal Ocean Science (NCCOS) Research Support System (NOAA6301) - approved 4/15/2014
National Ocean Service - Coastal Services Center (NOAA6101) approved 10/28/2011
National Ocean Service - Center for Operational Oceanographic Products and Services PORTS and NWLON System (NOAA6205) approved 12/1/2016
National Ocean Service - Nautical Charting System (NOAA6501) - approved 11/22/2016
National Weather Service - Aviation Weather Center (NOAA8861) - approved 12/10/2015
National Weather Service - Configuration Branch Information Technology System (NOAA8100) - approved 10/7/2016
National Weather Service - NOAA Water Center (NOAA8202) - approved 09/29/2016
National Weather Service - Weather and Climate Infrastructure Services (WCCIS) (NOAA8860)- approved 6/9/2014
NOAA National Data Buoy Center (NOAA8873) - approved 10/19/2016
National Weather Service - Alaska Region General Support Syistem (NOAA8880) - approved 6/3/2016
National Weather Service - Eastern Region LAN/WAN (NOAA8882) - approved 6/2/2015
National Weather Service - Western Region Workforce Database (NOAA8885) - approved 6/19/2014
National Weather Service - Southern Region General Support System (NOAA8884) - approved 10/12/2016
National Weather Service - Central Region WAN/LAN (NOAA8881)- approved 7/27/2015
National Weather Service - Radar Operations Center LAN (NOAA8877) - approved 3/18/2015
National Weather Service - Space Weather Prediction Center (NOAA8864)- approved 12/15/2014