U.S. DEPARTMENT OF
HOUSING AND URBAN DEVELOPMENT
INITIAL PRIVACY ASSESSMENT (IPA)
Tenant Resource Network Program
Office of Housing Assistance and Grant Administration
Instruction & Template
5/25/11
INTRODUCTION
What is an Initial Privacy Assessment?
An Initial Privacy Assessment (IPA) is designed to assess whether a Privacy Impact Assessment (PIA), a Privacy Act system of records notice (SORN), and/or other related privacy documents are required. The responses to the IPA will provide a foundation for both a PIA and a SORN should either or both be required, and will also help to identify any policy concerns.
The IPA incorporates the matters previously addressed in the Department’s Privacy Identifiable Information (PII) Survey, and thus replaces the survey.
When should an IPA be completed?
An IPA should be completed during the system’s design phase, whether the system is electronic or contains only records in paper form, and should be completed before commencement of any testing or pilot project of an information system. Additionally, an IPA should be completed any time there is a change to the information system to determine whether there are any privacy issues as a result of such a change.
Who should complete the IPA?
The IPA should be written and reviewed by a combination of the component’s (e.g., Privacy Act Officer, System Owner, Project Leaders), and the program-specific office responsible for the system.
How is the IPA related to the Capital Planning and Certification and Accreditation process?
Upon completion and approval of the IPA by the Privacy Officer the official document may be uploaded into the C&A tool, and provided as part of the IT Capital Planning process as validation of the completed evaluation. The completed IPA demonstrates that the program components have consciously considered privacy and related requirements as part of the overall system design. For an IT system that does not require a C&A, such as a minor application that runs on a system that does require a C&A, an IPA still should be completed to determine if other related privacy documentation are required for that system or project.
Where should the completed IPA be sent?
A copy of the completed IPA should be sent to the Office of Privacy via email to [email protected] and [email protected]. The Privacy Officer will review the IPA and determine what additional privacy documentation is required, and then will advise the Program component accordingly.
Initial Privacy Assessment
SECTION I: INFORMATION ABOUT THE SYSTEM OR PROJECT
Which of the following describes the type of records in the system:
|
|
Note: For this form purpose, there is no distinction made between technologies/systems managed by contractors. All technologies/systems should be initially reviewed for potential privacy impact.
Question 1: Provide a general description of the system or Project. The following questions are intended to define the scope of the information in the system or project, specifically the nature of the information and the sources from which it is obtained.
Nonprofit entities
Application for funds and vouchering for funds
c. How information is transmitted to and from the system?
Grants.gov, loccs
d. What are the interconnections with other systems?
NA
QUESTION 2: Have the IPA been reviewed and approved by the Chief Privacy Officer
NA
(If no, please contact component privacy official for official approval)
|
If this is a new system or project, specify expected production date.
New program, publication date expected before FY2012
If an existing system or project, specify date of production.
NA
QUESTION 4: Does this system or project collect personal identifiers/sensitive information
YES
|
NO
|
Does the system or project collect personal/sensitive information? (e.g. name, address, personal email address, gender/sex, race/ethnicity, income/financial data, employment history, medical history, Social Security Number, Tax Identification Number, Employee Identification Number, FHA Case Number). Includes PII that may be part of a registration process?
|
If yes, specific data sets collected or provided, and the legal authorities, arrangement, and/or agreement authorize the collection of information (i.e. must include authorities that cover all information collection activities, including Social Security Numbers)?
TIN, EIN, Address, Financial, Owner/Agent/Board member names for identity of interest in narratives or forms SF-424, SF-424 Supplemental, HUD-424 CBW, SF-LLL, HUD-2880, HUD-92041, HUD 2994-A, HUD-96010, Form HUD-96011 and HUD 50080-TRNP.
QUESTION 5: Does the information about individuals identify particular individuals (i.e., is the information linked or linkable to specific individuals, often referred to as personally identifiable information?)
names and workplaces or work affiliation, SS# on form 2880
QUESTION 6: What type of Notice(s) are provided to the individual on the scope of information collected, the opportunity to consent to uses of said information, the opportunity to decline to provide information. (A notice may include a posted privacy policy, a Privacy Act notice on form(s), and/or a system of records notice published in the Federal Register.)
Privacy act statements on 83i and on 2880
|
Yes it is voluntary and they may apply if they do not submit the information.
|
na
|
QUESTION 7: Is there a Certification & Accreditation record for your system? |
||||||||
Yes
Specify below the systems categorization. If not available identify the FISMA-reported system whose Certification and Accreditation covers this system.
Grants.gov and LOCCS
|
||||||||
Confidentiality |
|
Low |
|
Moderate |
|
High |
|
Undefined |
Integrity |
|
Low |
|
Moderate |
|
High |
|
Undefined |
Availability |
|
Low |
|
Moderate |
|
High |
|
Undefined |
SECTION II - Existing System or Project
(Only complete Section II if this is an existing system or project).
QUESTION 1: When was the system developed?
<<ADD ANSWER HERE>>
QUESTION 2: If an existing system, has the system undergone any changes since April 17, 2003?
<<ADD ANSWER HERE>>
QUESTION 3: Do the changes to the system or project involve a change in the type of records maintained, the individuals on whom records are maintained, or the use or dissemination of information from the system?
<< ADD ANSWER HERE>>
QUESTION 4: Please indicate if any of the following changes to the system or project have occurred: (Mark all boxes that apply.)
|
A conversion from paper-based records to an electronic system.
|
|
A change from information in a format that is anonymous or non-identifiable to a format that is identifiable to particular individuals.
|
|
A new use of an IT system, including application of a new technology that changes how information in identifiable form is managed. (For example, a change that would create a more open environment and /or avenue for exposure of data that previously did not exist.)
|
|
A change that results in information in identifiable form being merged, centralized, or matched with other databases.
|
|
A new method of authenticating the use of an access to information in the identifiable form by members of the public.
|
|
A systematic incorporation of databases of information in identifiable form purchased or obtained from commercial or public sources.
|
|
A new interagency use of shared agency function that results in new uses or exchanges of information in identifiable form.
|
|
A change that results in a new use of disclosure of information in identifiable form.
|
|
A change that results in new items of information in identifiable form being added into the system. |
QUESTION 5: Does a PIA for the system already exist? If yes, please provide a copy of the notice as an appendix.
<< ADD ANSWER HERE>>
(To be completed by the Privacy Office)
|
This is NOT a Privacy Sensitive Project – the project contains no personal identifiers/sensitive information
|
|
This IS a Privacy Sensitive Project |
|
IPA sufficient at this time
|
|
A PIA is required |
|
The existing PIA requires an update/deletion |
|
A SORN is required |
|
The existing SORN requires an update/deletion |
|
Other |
COMMENTS:
|
|
DATE REVIEWED: |
REVIEWERS NAME: |
By Signing below you attest that the content captured in this document is accurate and complete and meet the requirements of applicable federal regulations and HUD internal policies.
|
|
|
|
|
|
SYSTEM OWNER<< INSERT NAME/TITLE>>
|
|
Date |
<<INSERT PROGRAM OFFICE>> |
|
|
|
|
|
|
|
|
|
|
|
PROGRAM AREA MANAGERClaire Trivedi |
|
Date |
Office of Housing Assistance and Grant Adminstration |
|
|
|
|
|
|
|
|
|
|
|
CHIEF PRIVACY OFFICER,Angela Connors |
|
Date |
Office of the Chief Information Officer |
|
|
U. S. Department of Housing and Urban Development |
|
|
| File Type | application/msword |
| File Title | Attached for your immediate attention is the electronic copy of the SSN and PII memorandum distributed to Departmental Principle |
| Author | Nadine Craft |
| Last Modified By | Preferred User |
| File Modified | 2011-06-01 |
| File Created | 2011-05-25 |