U.S. DEPARTMENT OF
HOUSING AND URBAN DEVELOPMENT
INITIAL PRIVACY ASSESSMENT (IPA)
Comprehensive Listing of Transactional Documents for Mortgagors, Mortgagees and Contractors
Office of Healthcare Programs
Office of Residential Care Facilities
Instruction & Template
November 8, 2012
INTRODUCTION
What is an Initial Privacy Assessment?
An Initial Privacy Assessment (IPA) is designed to assess whether a Privacy Impact Assessment (PIA), a Privacy Act system of records notice (SORN), and/or other related privacy documents are required. The responses to the IPA will provide a foundation for determining if either a PIA or SORN or both will be required, and will also help to identify any policy concerns.
The IPA incorporates the matters previously addressed in the Department’s Personally Identifiable Information (PII) Survey, and thus replaces the survey.
When should an IPA be completed?
An IPA should be completed for all information collection activities, whether the system is electronic or contains only records in paper form, and should be completed before commencement of any testing or pilot project of an information system or prior to implementing new information collections requests. Additionally, an IPA should be completed any time there is a change to the information system or collection to determine whether there are any privacy issues as a result of such a change.
Who should complete the IPA?
The IPA should be written and reviewed by a combination of the component’s (e.g., Privacy Act Officer, System Owner, Project Leaders, Paperwork Reduction Act Compliance Officers), and the program-specific office responsible for the system, project or information collections.
How is the IPA related to the Capital Planning, Certification and Accreditation, and the Paperwork Reduction Act process?
Upon completion and approval of the IPA by the Privacy Officer the official document may be uploaded into the C&A tool, and provided as part of the IT Capital Planning, and Paperwork Reduction Act package as validation of the completed evaluation. The completed IPA demonstrates that the program components have consciously considered privacy and related requirements as part of the overall information activities. For an IT system that does not require a C&A, such as a minor application that runs on a system that does require a C&A, an IPA still should be completed to determine if other related privacy documentation are required for that system or project.
Where should the completed IPA be sent?
A copy of the completed IPA should be sent to the Office of Privacy Project Leads for review. The Privacy Officer will review the IPA and determine what additional privacy documentation is required, and then will advise the Program component accordingly.
Initial Privacy Assessment
INFORMATION ABOUT THE SYSTEM OR PROJECT
Which of the following describes the type of records in the system:
|
|
Note: For this form purpose, there is no distinction made between technologies/systems managed by contractors. All technologies/systems should be initially reviewed for potential privacy impact.
Section I: The Entire IPA (Sections I and II) Should be Completed for New Systems or Projects. If this is an Existing System or Project Skip to Section II. Unless requested by the Office of Privacy, this section should not be completed for an existing System or Project.
Question 1: Provide a general description of the system of Project. The following questions are intended to define the scope of the information in the system, information collection, or project, specifically the nature of the information and the sources from which it is obtained.
The respondents are owners/sponsors, general contractors, lenders, and others involved in residential healthcare facility projects, which may, at times include local government entities and other third parties.
This information collection contains forms required for processing applications for FHA mortgage insurance under the Section 232 program for Residential Care Facilities, for ongoing asset management of those FHA insured facilities, and other information related to these facilities for loan modifications, physical and environmental reviews.
c. How is information transmitted to and from the system, information collection, or project?
Forms for FHA mortgage insurance applications are submitted in hard copy and electronically via compact disk or flash drive. Other forms may be submitted in hard copy, facsimile or via email attachment.
d. What are the interconnections with other systems or projects?
None.
QUESTION 2: Have the IPA been reviewed and approved by the Chief Privacy Officer
No. Privacy official has been contacted.
(If no, please contact component privacy official for official approval)
|
If this is a new system, information collection, or project, specify expected production date.
The new information collection was submitted for public comment on May 3, 2012, with a potential final approval and publication date near October, 2012.
If an existing system, information collection, or project, specify date of production.
N/A – new collection
QUESTION 4: Does this system, information collection, or project collect personal identifiers/sensitive information?
YES
|
NO
|
Does the system, information collection, or project collect personal/sensitive information? (e.g. name, address, personal email address, gender/sex, race/ethnicity, income/financial data, employment history, medical history, Social Security Number, Tax Identification Number, Employee Identification Number, FHA Case Number). Includes PII that may be part of a registration process?
|
If yes, specific data sets collected or provided, and the legal authorities, arrangement, and/or agreement authorize the collection of information (i.e. must include authorities that cover all information collection activities, including Social Security Numbers)?
Yes, this collection does include forms that contain collect personal identifiers/sensitive information. Part of our loan application process requires verification of financial strength and viability of both the business entity and its owner(s). This verification is done through screening in the HUD Active Partners Performance System (APPS) and Business Partner Registration System (PBRS), as well as credit reports. Though HUD does not run the credit reports directly, they are required to be submitted as part of the application. Applicants are able to enter their personal information directly in the BPRS and APPS; however, if they choose to submit a paper submission for APPS instead of using the electronic option, then they must provide the necessary personal information for the HUD reviewer to enter the data into the system and conduct the Previous Participation review. APPS and BPRS are systems used throughout the Office of Housing, and are not unique to the Office of Healthcare Programs. Any forms in this information collection that do contain personal/sensitive information do contain the appropriate Privacy Act Notice in the document heading.
QUESTION 5: Does the information about individuals identify particular individuals (i.e., is the information linked or linkable to specific individuals, often referred to as personally identifiable information?)
Yes, the collection requires the identifiable information be submitted for the business entities applying for mortgage insurance. Though individuals may be the principal participants in these entities, the data they provide is related to their business relationship(s) rather than their personally identifiable information.
QUESTION 6: What type of Notice(s) are provided to the individual on the scope of information collected, the opportunity to consent to uses of said information, the opportunity to decline to provide information. (A notice may include a posted privacy policy, a Privacy Act notice on form(s), and/or a system of records notice published in the Federal Register.)
Yes. When personal information is required within a document, a Privacy Act notice is included directly on that form.
|
No. The Public Reporting section of the header (in Appendix A) clarifies that response to requested information is required in order to receive the benefits to be derived.
|
No. |
QUESTION 7: Is there a Certification & Accreditation record for your system? (This question does not apply to Information Collection Requests) |
||||||||
N/A – Information Collection Request
Specify below the systems categorization. If not available identify the FISMA-reported system whose Certification and Accreditation covers this system.
N/A – Information Collection Request
|
||||||||
Confidentiality |
|
Low |
|
Moderate |
|
High |
|
Undefined |
Integrity |
|
Low |
|
Moderate |
|
High |
|
Undefined |
Availability |
|
Low |
|
Moderate |
|
High |
|
Undefined |
SECTION II - The Entire IPA should be completed for New Systems or Projects. If this is an Existing System or Project Complete Only Complete This Section.
QUESTION 1: When was the system, information collection, or project developed?
While there are forms in this information collection that have existed within the Office of Multifamily Housing and have been developed and modified anywhere from the last one to twenty years, the updates to these documents with respect to the Office of Healthcare Programs and this current collection have only been in development since 2008. The collection has been finalized as well as formalized the fourth quarter of 2011.
QUESTION 2: If an existing system, information collection, or project, has the system or project undergone any changes since April 17, 2003?
The Office of Residential Care Facilities (under the Office of Healthcare Programs), has only been in existence since December, 2008. The information collection forms being used since that time have been those from the Office of Multifamily Housing. This collection is being done to tailor the forms to meet the requirements that are unique to this newly created division.
QUESTION 3: If an existing system, information collection, or project, has the system or project, explain the changes the system or project will be undergoing as part of this renewal/update process.
This information collection involves modifications to existing forms completed for the submission of Section 232, Residential Care Facilities, FHA mortgage insurance applications, as well for the ongoing asset management of Residential Care Facilities projects with FHA mortgage insurance under the Section 232 program. The collection also includes new forms that will be used by Lenders, Borrowers, Contractors and other business entities in the healthcare industry who are a part of the FHA application process. The existing forms are being modified from the Multifamily Housing format so that they address the needs of the Office of Healthcare Programs, and provide for standardization of submitted information. New forms are being added to the collection to also create standardization of submitted information that did not previously exist in the Multifamily collection.
QUESTION 4: Do the changes to the system, information collection, or project involve a change in the type of records maintained, the individuals on whom records are maintained, or the use or dissemination of information from the system?
This information collection does not involve a change in the type of records maintained, the individuals on whom records are maintained, or the use or dissemination of information in the system.
QUESTION 5: Please indicate if any of the following changes to the system or project have occurred: (Mark all boxes that apply.)
|
A conversion from paper-based records to an electronic system.
|
|
A change from information in a format that is anonymous or non-identifiable to a format that is identifiable to particular individuals.
|
|
A new use of an IT system, including application of a new technology that changes how information in identifiable form is managed. (For example, a change that would create a more open environment and /or avenue for exposure of data that previously did not exist.)
|
|
A change that results in information in identifiable form being merged, centralized, or matched with other databases.
|
|
A new method of authenticating the use of an access to information in the identifiable form by members of the public.
|
|
A systematic incorporation of databases of information in identifiable form purchased or obtained from commercial or public sources.
|
|
A new interagency use of shared agency function that results in new uses or exchanges of information in identifiable form.
|
|
A change that results in a new use of disclosure of information in identifiable form.
|
|
A change that results in new items of information in identifiable form being added into the system. |
QUESTION 6: Does a PIA for the system or project already exist? If yes, please provide a copy of the notice as an appendix.
No, a PIA does not currently exist.
(To be completed by the Privacy Office)
|
This is NOT a privacy sensitive system, information collection or project – the system, information collection, or project contains no personal identifiers/sensitive information
|
|
This IS a Privacy Sensitive Project |
|
IPA sufficient at this time
|
|
A PIA is required |
|
The existing PIA requires an update/deletion |
|
A SORN is required |
|
The existing SORN requires an update or should be deleted |
|
Other |
COMMENTS:
|
|
DATE REVIEWED: |
PRIVACY REVIEWING OFFICIALS NAME: |
By Signing below you attest that the content captured in this document is accurate and complete and meet the requirements of applicable federal regulations and HUD internal policies.
|
|
|
|
|
|
SYSTEM OR PROJECT OWNER<< INSERT NAME/TITLE>>
|
|
Date |
<<INSERT PROGRAM OFFICE>> |
|
|
|
|
|
|
|
|
|
|
|
PROGRAM AREA MANAGER<<INSERT NAME/TITLE>> |
|
Date |
<<INSERT PROGRAM OFFICE>> |
|
|
|
|
|
|
|
|
|
|
|
CHIEF PRIVACY OFFICER,<<INSERT NAME>> |
|
Date |
Office of the Chief Information Officer |
|
|
U. S. Department of Housing and Urban Development |
|
|
APPENDIX A
Evidence of Privacy Notice
HUD Form Name
|
U.S. Department of Housing and Urban Development Office of Residential Care Facilities |
OMB Approval No. 9999-9999 (exp. mm/dd/yyyy) |
Public reporting burden for this collection of information is estimated to average ___ hour(s). This includes the time for collecting, reviewing, and reporting the data. The information is being collected to obtain the supportive documentation which must be submitted to HUD for approval, and is necessary to ensure that viable projects are developed and maintained. The Department will use this information to determine if properties meet HUD requirements with respect to development, operation and/or asset management, as well as ensuring the continued marketability of the properties.
Warning: Any person who knowingly presents a false, fictitious, or fraudulent statement or claim in a matter within the jurisdiction of the U.S. Department of Housing and Urban Development in subject to criminal penalties, civil liability, and administrative sanctions.
Privacy Act Notice: The Department of Housing and Urban Development, Federal Housing Administration, is authorized to collect the information requested in this form by virtue of: The National Housing Act, 12 USC 1701 et seq. and the regulations at 24 CFR 5.212 and 24 CFR 200.6; and the Housing and Community Development Act of 1987, 42 USC 3543(a). The information requested is mandatory to receive the mortgage insurance benefits to be derived from the National Housing Act Section 232 Healthcare Facility Insurance Program. This agency may not collect this information, and you are not required to complete this form unless it displays a currently valid OMB control number. No confidentiality is assured.
| File Type | application/msword |
| File Title | Attached for your immediate attention is the electronic copy of the SSN and PII memorandum distributed to Departmental Principle |
| Author | Nadine Craft |
| Last Modified By | H22192 |
| File Modified | 2012-11-08 |
| File Created | 2012-10-12 |