Office of the Chief Information Officer &
High Performance Computing and Communications

NOAA Privacy Web page

(Link to DOC Privacy Web page)

 

NOAA Privacy Team

1. Rob Swisher, Director, Governance and Portfolio Division, robert.swisher@noaa.gov, 301-628-5755
2. Mark Graff, Bureau Chief Privacy Officer, mark.graff@noaa.gov, 301-628-5658
3. Sarah Brabson, Bureau Privacy Act Officer (and initial contact for PIA and PTA review), sarah.brabson@noaa.gov, 301- 628-5751
4. Eric Williams, Bureau Privacy Breach Lead, eric.d.williams@noaa.gov, 301-713-9111

DOC Chief Privacy Officer: Catrina Purvis: CPurvis@doc.gov

 

Federal agencies are required by law to protect information about individuals (members of the public, Federal employees and contractors) which they may collect, disseminate and/or store.

 

The Privacy Act of 1974 (5 USC 552a) regulates the Federal Government's collection, use, maintenance, and dissemination of information about individuals.  The Act establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

Personally Identifiable Information (PII) and Business Indentifiable Information (BII)

The term “personally identifiable information” refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as gender, date and place of birth, mother’s maiden name, etc. Name and contact information are PII.

Sensitive PII: (from OMB M-07-16, below): Using a best judgment standard, the sensitivity of certain terms, such as personally identifiable information, can be determined in context. For example, an office directory contains personally identifiable information (name, phone number, etc.). In this context the information probably would not be considered sensitive; however, the same information in a database of patients at a clinic which treats contagious disease probably would be considered sensitive information. PII that is always considered sensitive includes the social security number and any financially-related numbers such as credit card numbers and checking accounts.

The Department of Commerce (DOC) also requires protection of Business identifiable information (BII) :BII consists of information that is defined in the Freedom of Information Act (FOIA) as "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential." (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. "Commercial" is not confined to records that reveal basic commercial operations but includes any records [or information] in which the submitter has a commercial interest and can include information submitted by a nonprofit entity.

Here is an overview of the same information about PII and BII in a brochure published by DOC's Privacy Program in 2015. FAQs are included.

NOAA Privacy Training Slides: March 9, 2016

Privacy-Related Statutes and Memoranda

Here is the NOAA Data Loss Prevention Plan, signed by Zach Goldstein on August 30, 2016. The related DOC memorandum is here.

The NOAA Privacy Policy was signed by Zach Goldstein on May 30, 2017.

The NOAA Unmanned Aircraft Systems Privacy Policy was signed by Zach Goldstein on March 28, 2017.

 

DOC and NOAA Privacy Control Allocations and Artifacts -basic information regarding privacy controls assessment.

NOAA Privacy Control Allocations and Implementation Statements (approved by NOAA Chief Privacy Officer but not yet reviewed by DOC Privacy Officer)

PIA template with cross-references to Privacy Controls - not for use in writing PIAs, but for auditors, as a tool for reviewing implementation of privacy controls

 

Privacy Threshold Analysis

See the Privacy Threshold Analysis (PTA) template.

First, ensure that a system description is included; the recommendation is to use the one in CSAM.

Then, follow the instructions to determine if a PIA is needed. NOTE: the current PTA template states that not all questions need to be answered, if the answer to Question 1 indicates a PIA is not needed. However, we request that you answer all questions, to have a clear record of whether the system has PII or BII and from whom it is collected. Also, BEFORE collecting the required silgnatures on the PTA, please send to Sarah. Brabson@noaa.gov the Word version for review. Signatures: as with the PIA, no co-AO signature is needed.

 

Privacy Impact Assessments

Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new technology(e.g. an electronic database) involving the collection, maintenance or dissemination of personally identifiable information or that make substantial changes to existing technology for managing information in identifiable form. The Office of Management and Budget (OMB) ensures that PIAs necessitated under the E-Government Act are completed by requiring them as part of the annual budget process.

A PIA is an analysis of how personally identifiable information is collected, stored, protected, shared and managed. “Personally identifiable information” (PII) is defined as information in a system or online collection that directly or indirectly identifies an individual whether the individual is a U.S. Citizen, Legal Permanent Resident, or a visitor to the U.S. Please refer to the NOAA PIA Guidance and template for basic instructions, as well as additional DOC guidance for new questions in the 2015 PIA template. Please contact Sarah Brabson, NOAA OCIO Privacy Coordinator, (301) 628-5751, or Sarah.Brabson@noaa.gov foradditional guidance. OMB's Guidance for Implementing Section 208 also provides background information. NOTE: Please do not convert the PIA document to pdf, only the signature page, so that reviewers may edit and comment easily.

DOC Memo of November 18, 2014, citing M-14-04, and stating policy that the NIST 800-53 Rev 4 Privacy Controls must be implemented.

PIA Guidance

PIA Template

PIA Example

PTA Template

 

Prvacy Act System of Record Notices (SORNs)


Any system of records as defined in section (a)(5) of the Privacy Act (“ . . .a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual”) and noted in a System of Records Notice (SORN) in the FEDERAL REGISTER either by the Department of Commerce or by another Federal agency. Each PIA must be covered by at least one SORN.

Pkease go here for a listing of current NOAA SORNs and a link to DOC SORNs.

Exemptions to the Privacy Act: All Exemptions to the Privacy Act have been included within the Federal Register Notice for the applicable SORN, listed here:

PRIVACY ACT REQUESTS (for individuals who wish to request access to, or amendment of, their records) These requests need to be submitted pursuant to 15 CFR 4.24. 

 

Related Requirement which MAY apply:

The collection of information also may require approval by OMB under the Paperwork Reduction Act. For more information on Paperwork Reduction Act (PRA) requirements, please go to the Paperwork Reduction Act Home Page or contact Sarah Brabson (who is also the NOAA PRA Clearance Officer).

 

Approved NOAA PIAs:

NOAA Cyber Security Center (NOAA0100) - approved 10/7/2016

NOAA Web Operations Center (NOAA0201) - approved 1/9/2017

NOAA Information Technology Center (NOAA1101), approved 5/25/16

NOAA Corporate Services Local Area Network (LAN) (NOAA1200) - approved 3/24/2017

NOAA Everbridge Mass Notification System (ENS) (NOAA0900) - approved 6/15/2017

NOAA Office of Marine and Aviation Operations Ship Fleet Support System - approved 10/21/2016

NOAA NMFS Headquarters Wide Area Network and Enterprise Services (NOAA4000) - approved 5/12/2017

NOAA NMFS Permits and Landing System (NOAA4011) - approved 2/10/2017

NOAA NMFS Greater Atlantic Region Office Network (NOAA4100) - approved 7/26/2016

NOAA NMFS Northeast Fisheries Science Center (NOAA4200) - approved 5/12/2017

NOAA NMFS Southeast Region Local Area Network (NOAA4300) - approved 5/12/2017

NOAA NMFS Southeast Fisheries Science Center Network (NOAA4400) - approved 6/21/2016

NOAA NMFS West Coast Region Local Area Network (NOAA4500) - approved 12/5/2016

NOAA NMFS Northwest Fisheries Science Center (NOAA4600) - approved 5/12/2017

NOAA NMFS Alaska Region Local Area Network (NOAA4700) - approved 5/12/2017

NOAA NMFS Alaska Fisheries Science Center Network (NOAA4800) - approved 5/12/2017

NOAA NMFS Pacific Islands Region Local Area Network (NOAA4920) - approved 10/19/2016

NOAA NMFS Southwest Fisheries Science Center (NOAA4930) - approved 2/4/2016

NOAA NMFS Pacific Islands Fisheries Science Center Network (NOAA4960) - approved 9/30/2016

NOAA NMFS Science and Technology Division (NOAA4020) - approved 7/25/2016

NOAA Data Collection System (DCS) (NOAA5004) - approved 9/23/2016

NOAA National Climatic Data Center Local Area Network (LAN) (NOAA5009) - approved 2/11/2015

NESDIS National Oceanographic Data Center (NOAA5010)- approved 9/6/2016

NOAA Data Archive Management and User System (NOAA5011) - approved 8/11/2016

NESDIS Headquarters Information System (NOAA5006) - approved 5/16/17

NESDIS Fairbanks Command and Data Acquisition Station Administrative Local Area Network (LAN) (NOAA5008) - approved 6/9/2014

NESDIS Center for Satellite Applications and Research (STAR) LAN (NOAA5018) - approved 7/27/2015

NOAA Satellite Operations Facilities Administrative LAN (NOAA5044) - approved 10-21-16

NESDIS Environmental Satellite Processing Center (ESPC) (NOAA5045) - approved 6//8/2017

NOAA Search and Rescue-Aided Satellite Tracking (SARSAT) 406 MHz Beacon Registration Database (NOAA5023)- approved 6/8/2017

NOAA Wallops Command and Data Acquisition Station Administrative LAN (NOAA5032) - approved 6/6/2016

NOAA Comprehensive Large-Array Stewardship System (CLASS) (NOAA5040)- approved 7/26/2016

National Ocean Service Enterprise Information System (NOAA6001) - approved 3/23/2017

National Ocean Service - National Center for Coastal Ocean Science (NCCOS) Research Support System (NOAA6301) - approved 3/23/2017

National Ocean Service - Coastal Services Center (NOAA6101) approved 3/24/2017

National Ocean Service - Center for Operational Oceanographic Products and Services PORTS and NWLON System (NOAA6205) approved 12/1/2016

National Ocean Service - Nautical Charting System (NOAA6501) - approved 11/22/2016

National Weather Service - Aviation Weather Center (NOAA8861) - approved 12/10/2015

National Weather Service - Configuration Branch Information Technology System (NOAA8100) - approved 10/7/2016

National Weather Service - NOAA Water Center (NOAA8202) - approved 09/29/2016

National Weather Service - Performance Management System (NOAA8203) - approved 6/1/2017

National Weather Service - Weather and Climate Infrastructure Services (WCCIS) (NOAA8860)- approved 6/9/2014

NOAA National Data Buoy Center (NOAA8873) - approved 10/19/2016

National Weather Service - Alaska Region General Support Syistem (NOAA8880) - approved 6/3/2016

National Weather Service - Central Region WAN/LAN (NOAA8881)- approved 7/27/2015

National Weather Service - Eastern Region LAN/WAN (NOAA8882) - approved 6/2/2015

National Weather Service - Pacific Region (NOAA8883) - approved 5/12/2017

National Weather Service - Southern Region General Support System (NOAA8884) - approved 10/12/2016

National Weather Service - Western Region Workforce Database (NOAA8885) - approved 6/19/2014

National Weather Service - Radar Operations Center LAN (NOAA8877) - approved 5/12/2017

National Weather Service - Space Weather Prediction Center (NOAA8864)- approved 12/15/2014