U.S. DEPARTMENT OF
HOUSING AND URBAN DEVELOPMENT
INITIAL PRIVACY ASSESSMENT (IPA)
[Energy Efficient Mortgage (EEM)]
[Home Mortgage Insurance Division]
Instruction & Template
[11/3/2011]
INTRODUCTION
What is an Initial Privacy Assessment?
An Initial Privacy Assessment (IPA) is designed to assess whether a Privacy Impact Assessment (PIA), a Privacy Act system of records notice (SORN), and/or other related privacy documents are required. The responses to the IPA will provide a foundation for determining if either a PIA or SORN or both will be required, and will also help to identify any policy concerns.
The IPA incorporates the matters previously addressed in the Department’s Privacy Identifiable Information (PII) Survey, and thus replaces the survey.
When should an IPA be completed?
An IPA should be completed for all information collection activities, whether the system is electronic or contains only records in paper form, and should be completed before commencement of any testing or pilot project of an information system or prior to implementing new information collections requests. Additionally, an IPA should be completed any time there is a change to the information system or collection to determine whether there are any privacy issues as a result of such a change.
Who should complete the IPA?
The IPA should be written and reviewed by a combination of the component’s (e.g., Privacy Act Officer, System Owner, Project Leaders), and the program-specific office responsible for the system, project or information collections.
How is the IPA related to the Capital Planning, Certification and Accreditation, and the Paperwork Reduction Act process?
Upon completion and approval of the IPA by the Privacy Officer the official document may be uploaded into the C&A tool, and provided as part of the IT Capital Planning, and Paperwork Reduction Act package as validation of the completed evaluation. The completed IPA demonstrates that the program components have consciously considered privacy and related requirements as part of the overall information activities. For an IT system that does not require a C&A, such as a minor application that runs on a system that does require a C&A, an IPA still should be completed to determine if other related privacy documentation are required for that system or project.
Where should the completed IPA be sent?
A copy of the completed IPA should be sent to the Office of Privacy Project Leads for review. The Privacy Officer will review the IPA and determine what additional privacy documentation is required, and then will advise the Program component accordingly.
Initial Privacy Assessment
SECTION I: INFORMATION ABOUT THE SYSTEM OR PROJECT
Which of the following describes the type of records in the system:
|
|
Note: For this form purpose, there is no distinction made between technologies/systems managed by contractors. All technologies/systems should be initially reviewed for potential privacy impact.
Question 1: Provide a general description of the system or Project. The following questions are intended to define the scope of the information in the system, information collection, or project, specifically the nature of the information and the sources from which it is obtained.
The EEM program requires that the borrower obtain and give to their lender a certain type of home energy audit. This audit report will provide recommendations for home improvements that will improve the home’s energy performance. When the borrower chooses to make any of recommended improvements, and the chosen improvements are determined to be “cost-effective”, then cost of making those improvements may be added to the borrower’s standard FHA-insured mortgage. The borrower’s standard FHA-insured mortgage provides funds to purchase a home, or to refinance an existing mortgage on a home. The EEM loan program provides homeowners with additional funds to pay for energy-saving improvements.
The audit report must show the address of the property that was audited, and this address must match the address that the lender entered into FHA Connection to insure the mortgage. FHA Connection HUD’s computer system that lenders use to registered mortgages for FHA insurance
The home energy audit report may also show the borrower’s name, and the FHA case number for reference. The FHA case number is generated by HUD for the lender, when the lender registers the mortgage in FHA Connection.
The lender enters the borrower’s name into FHA Connection, as part of the registration process of a standard FHA-insured mortgage. The purpose of a standard FHA-insured mortgage to enable the purchase a home or refinance an existing home mortgage. The EEM financing may be added to the standard mortgage, in order for the borrower to obtain additional financing, to pay for cost-effective home energy improvements.
The lender is required to check an EEM indicator box in FHA Connection, whenever the borrower elects to add the cost of the energy improvements to their FHA-insured mortgage. This indicator box informs that the mortgage includes EEM-related financing.
The lender must also provide the dollar amount of the EEM-related financing was added to the FHA-insured loan amount.
<< This information collected is provided in a home energy audit, which informs about home improvements that are recommended for energy conservation. The information also informs which improvements are cost-effective. When proposed improvements are determined to be cost-effective, then the cost of these improvements may be financed into the regular FHA loan amount.
As part of the audit assessment, the report provides a cost estimate for making each improvement, as well as the utility savings that could be expected for each completed improvement. This information is used to evaluate the amount of funds that may be financed with the borrower’s standard FHA-insured mortgage. >>
c. How is information transmitted to and from the system, information collection, or project?
<<Information is collected on a home energy audit. Some of the information from the audit is transmitted to HUD through FHA Connection. The information transmitted to HUD is (a) an indicator flag to show that the loan is an Energy Efficient Mortgage, and (b) the amount of funds the lender escrows (holds) for completion of energy-efficiency improvements.
HUD does not require that other information be transmitted to HUD, but expects the lender to retain in its file: (a) the audit report, showing the recommended improvements and whether those improvements are cost-effective; (b) which improvements were completed (c) the cost of completed improvements. >>
d. What are the interconnections with other systems or projects?
<<The Energy Efficient Mortgage program overlays with FHA’s core home mortgage insurance program. The core program insures mortgages obtained to purchase a home, or to refinance an existing mortgage. >>
QUESTION 2: Have the IPA been reviewed and approved by the Chief Privacy Officer.
<< No, not as of 11/3/11 >>
(If no, please contact component privacy official for official approval) Note: this instruction conflicts with instruction provided from Angela Conner, in a meeting to discuss the process. Here it was informed that the IPA should be sent to LaJuan Gladden, not to the privacy official. |
If this is a new system, information collection, or project, specify expected production date.
<<The collection of information related to this program is not new. >>
If an existing system, information collection, or project, specify date of production.
<< It began with announcement in ML 2005-32>>
QUESTION 4: Does this system, information collection, or project collect personal identifiers/sensitive information
YES
|
NO
|
Does the system, information collection, or project collect personal/sensitive information? (e.g. name, address, personal email address, gender/sex, race/ethnicity, income/financial data, employment history, medical history, Social Security Number, Tax Identification Number, Employee Identification Number, FHA Case Number). Includes PII that may be part of a registration process?
|
If yes, specific data sets collected or provided, and the legal authorities, arrangement, and/or agreement authorize the collection of information (i.e. must include authorities that cover all information collection activities, including Social Security Numbers)?
<<
The lender is required to obtain (from the borrower) the home audit report, which will show the address of the home on which the energy audit was conducted.
The audit report may also show the FHA case number and borrower name. If the audit shows the borrower name and FHA case number, it is because the borrower provided that information to the auditor.
The audit is provided by the borrower to the lender, and the report is required to be kept in the lenders file on the borrower. HUD does not require that the audit report be transmitted to HUD.
The lender does not transmit PII information to HUD as part of the EEM process. The PII information (property address, borrower name and FHA Case number) is not collected as part of the EEM program.
The property address and borrower name are collected by the lender, and subsequently provided to HUD, via FHA Connection, as part of the lender’s process of securing FHA insurance on a standard mortgage.
The FHA Case number is generated by FHA Connection, and is provided to the lender, when the lender registers a mortgage for FHA insurance. >>
QUESTION 5: Does the information about individuals identify particular individuals (i.e., is the information linked or linkable to specific individuals, often referred to as personally identifiable information?)
<<The audit report that the borrower provides to their lender, will show the address of the home on which the audit was conducted, and may show the borrower’s name and FHA Case number. HUD expects that the address is, or will become, the borrower’s primary residence. >>
QUESTION 6: What type of Notice(s) are provided to the individual on the scope of information collected, the opportunity to consent to uses of said information, the opportunity to decline to provide information. (A notice may include a posted privacy policy, a Privacy Act notice on form(s), and/or a system of records notice published in the Federal Register.)
<<No, there are no forms used for EEM. The PII transmitted to HUD for the standard mortgage, incorporates a privacy notice to the borrower for the FHA-insured mortgage. The notice is provided on the HUD/VA Addendum to Uniform Residential Mortgage Application (92700) http://portal.hud.gov/hudportal/documents/huddoc?id=92900-a.pdf>>
|
<<The privacy notice on 92900 informs that the borrower is not required to respond to the collection of information. Should the borrower decline to complete the 92900, then a mortgage would not be FHA-insurable, and the EEM would have no basis for borrower to finance the cost of energy efficiency home improvements. >>
|
<< Borrowers must apply to participate in the EEM program. If a borrower wishes to participate in the program, they obtain a home energy audit. Although HUD does not collect information on that audit, the audit must show the address of the home receiving the audit, and may show the FHA Case number and borrower name. This information must be consistent with information provided to HUD for the borrowers standard mortgage. >>
|
QUESTION 7: Is there a Certification & Accreditation record for your system? (This question does not apply to Information Collection Requests) |
||||||||
<<N/A>>
Specify below the systems categorization. If not available identify the FISMA-reported system whose Certification and Accreditation covers this system.
<<N/A>>
|
||||||||
Confidentiality |
|
Low |
|
Moderate |
|
High |
|
Undefined |
Integrity |
|
Low |
|
Moderate |
|
High |
|
Undefined |
Availability |
|
Low |
|
Moderate |
|
High |
|
Undefined |
SECTION II - Existing System or Project
(Only complete Section II if this is an existing system, information collection, or project).
QUESTION 1: When was the system, information collection, or project developed?
<< It began with announcement in ML 2005-21>>
QUESTION 2: If an existing system, information collection, or project, has the system or project undergone any changes since April 17, 2003?
<<No, there have been no changes in the minimum data collection requirements since the program was announced in ML 2005-21>>
QUESTION 3: Do the changes to the system, information collection, or project involve a change in the type of records maintained, the individuals on whom records are maintained, or the use or dissemination of information from the system?
<< There are no new changes in data to be collected. >>
QUESTION 4: Please indicate if any of the following changes to the system or project have occurred: (Mark all boxes that apply.) None of these boxes apply.
|
A conversion from paper-based records to an electronic system.
|
|
A change from information in a format that is anonymous or non-identifiable to a format that is identifiable to particular individuals.
|
|
A new use of an IT system, including application of a new technology that changes how information in identifiable form is managed. (For example, a change that would create a more open environment and /or avenue for exposure of data that previously did not exist.)
|
|
A change that results in information in identifiable form being merged, centralized, or matched with other databases.
|
|
A new method of authenticating the use of an access to information in the identifiable form by members of the public.
|
|
A systematic incorporation of databases of information in identifiable form purchased or obtained from commercial or public sources.
|
|
A new interagency use of shared agency function that results in new uses or exchanges of information in identifiable form.
|
|
A change that results in a new use of disclosure of information in identifiable form.
|
|
A change that results in new items of information in identifiable form being added into the system. |
QUESTION
5: Does a PIA
IPA for the system or project already exist? If
yes, please provide a copy of the notice as an appendix.
<< No, this is the first IPA for the EEM PRA>>
(To be completed by the Privacy Office)
|
This is NOT a privacy sensitive system, information collection or project – the system, information collection, or project contains no personal identifiers/sensitive information
|
|
This IS a Privacy Sensitive Project |
|
IPA sufficient at this time
|
|
A PIA is required |
|
The existing PIA requires an update/deletion |
|
A SORN is required |
|
The existing SORN requires an update or should be deleted |
|
Other |
COMMENTS:
|
|
DATE REVIEWED: |
REVIEWERS NAME: |
By Signing below you attest that the content captured in this document is accurate and complete and meet the requirements of applicable federal regulations and HUD internal policies.
|
|
|
|
|
|
SYSTEM OR PROJECT OWNER<< INSERT NAME/TITLE>>
|
|
Date |
<<INSERT PROGRAM OFFICE>> |
|
|
|
|
|
|
|
|
|
|
|
PROGRAM AREA MANAGER<<INSERT NAME/TITLE>> |
|
Date |
<<INSERT PROGRAM OFFICE>> |
|
|
|
|
|
|
|
|
|
|
|
CHIEF PRIVACY OFFICER,<<INSERT NAME>> |
|
Date |
Office of the Chief Information Officer |
|
|
U. S. Department of Housing and Urban Development |
|
|
| File Type | application/msword |
| File Title | Attached for your immediate attention is the electronic copy of the SSN and PII memorandum distributed to Departmental Principle |
| Author | Nadine Craft |
| Last Modified By | h45362 |
| File Modified | 2011-11-14 |
| File Created | 2011-11-01 |