![]() ![]() Given that HHS handles a large amount of PII, it is critical that responsible organizations follow the requirements set forth in this Policy to protect PII and retain the public’s trust. Internal PIAs are used when an IT system or electronic information collection collects, disseminates, maintains, or disposes of PII only about HHS employees or direct contractors. PIAs also provide transparency into how HHS collects, disseminates, maintains, or disposes of the public’s PII. PIAs are used to assess the privacy risks of IT systems and electronic information collections that collect, disseminate, maintain, or dispose of PII about members of the public. If the analysis determines that the IT system or electronic information collection collects, disseminates, maintains, or disposes of PII, a PIA or Internal PIA shall also be required. PTAs analyze how information is handled in IT systems and electronic information collections. This process is documented in PTAs, PIAs, and Internal PIAs. To ensure that the public’s personal information is protected in a manner commensurate with the privacy risks, HHS uses a privacy analysis process to assess the risks associated with HHS’s collection and maintenance of PII and to ensure information is handled in accordance with applicable legal, regulatory, and policy requirements. This public trust carries with it a corresponding responsibility that HHS protect and safeguard the information while it is being stored, transmitted, and shared by HHS. The public entrusts HHS with a wide array of personal information ranging from basic identifiers, such as name and Social Security number, to more complex data, such as an individual’s genomic sequence or medical history. This Policy is supplemented by additional guidance that describes in greater detail the actions and activities that shall be taken to conduct and review PTAs, PIAs, and Internal PIAs at HHS. The purpose of this Policy is to set forth the minimum HHS PTA, PIA, and Internal PIA requirements, as well accompanying review and publication processes. ![]() The E-Government Act of 2002 and Office of Management and Budget (OMB) Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, require agencies to perform PIAs before developing, procuring, or using information technology (IT) systems or projects that collect, disseminate, maintain, or dispose of personally identifiable information (PII) or initiating, consistent with the Paperwork Reduction Act (PRA), a new electronic collection of PII from ten or more individuals. The Policy was updated to align with current HHS Privacy Threshold Analysis (PTA), PIA, and Internal PIA processes. Department of Health and Human Services (HHS) Policy for Privacy Impact Assessments (PIA) updates and supersedes the previous version (HHS-OCIO-2009-0002.001, dated February 9, 2009). Operating Division Senior Official for Privacy (or Designee) HHS Senior Agency Official for Privacy (or Designee) Agencies or Sub-components with Specific Government-wide Guidance Executive Orders, Memoranda, and Directives
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |