U.S. DEPARTMENT OF
HOUSING AND URBAN DEVELOPMENT
INITIAL PRIVACY ASSESSMENT (IPA)
Congressional Earmark Grant
Office of Congressional Grants
Instruction & Template
December 27, 2013
INTRODUCTION
What is an Initial Privacy Assessment?
An Initial Privacy Assessment (IPA) is designed to assess whether a Privacy Impact Assessment (PIA), a Privacy Act system of records notice (SORN), and/or other related privacy documents are required. The responses to the IPA will provide a foundation for determining if either a PIA or SORN or both will be required, and will also help to identify any policy concerns.
The IPA incorporates the matters previously addressed in the Department’s Personally Identifiable Information (PII) Survey, and thus replaces the survey.
When should an IPA be completed?
An IPA should be completed for all information collection activities, whether the system is electronic or contains only records in paper form, and should be completed before commencement of any testing or pilot project of an information system or prior to implementing new information collections requests. Additionally, an IPA should be completed any time there is a change to the information system or collection to determine whether there are any privacy issues as a result of such a change.
Who should complete the IPA?
The IPA should be written and reviewed by a combination of the component’s (e.g., Privacy Act Officer, System Owner, Project Leaders, Paperwork Reduction Act Compliance Officers), and the program-specific office responsible for the system, project or information collections.
How is the IPA related to the Capital Planning, Certification and Accreditation, and the Paperwork Reduction Act process?
Upon completion and approval of the IPA by the Privacy Officer the official document may be uploaded into the C&A tool, and provided as part of the IT Capital Planning, and Paperwork Reduction Act package as validation of the completed evaluation. The completed IPA demonstrates that the program components have consciously considered privacy and related requirements as part of the overall information activities. For an IT system that does not require a C&A, such as a minor application that runs on a system that does require a C&A, an IPA still should be completed to determine if other related privacy documentation are required for that system or project.
Where should the completed IPA be sent?
A copy of the completed IPA should be sent to the Office of Privacy Project Leads for review. The Privacy Officer will review the IPA and determine what additional privacy documentation is required, and then will advise the Program component accordingly.
Initial Privacy Assessment
INFORMATION ABOUT THE SYSTEM OR PROJECT
Which of the following describes the type of records in the system:
|
|
Note: For this form purpose, there is no distinction made between technologies/systems managed by contractors. All technologies/systems should be initially reviewed for potential privacy impact.
Section I: The Entire IPA (Sections I and II) Should be Completed for New Systems or Projects. If this is an Existing System or Project Skip to Section II. Unless requested by the Office of Privacy, this section should not be completed for an existing System or Project.
Question 1: Provide a general description of the system of Project. The following questions are intended to define the scope of the information in the system, information collection, or project, specifically the nature of the information and the sources from which it is obtained.
The system project includes units of stat and local government,non profits and Indian tribes. The grantees submit semi annual reports, close out forms and form 27054 for access to the LOCCS system. In order to request funds form HUD 27053 is used. The information collection is used to monitor grantee performance, maintain and update records
Units of state and local governments, Indian tribes, non-profit entities and employees thereof.
Application for funds, gaining access to HUD LOCCS for receipt of funds; reports to HUD on the use of the funds.
c. How is information transmitted to and from the system, information collection, or project?
Applications are submitted generally through the grants.gov portal, with some occasionally received in paper form; LOCCS Access Authorization forms are transmitted in paper form to the Congressional Grants Division, which then sends the form to the CFO; semi-annual reports are generally received in paper form, although sometimes they are submitted as scanned PDF attachments in emails from grantees to Division staff. The LOCCS VRS Request voucher for grant payment is transmitted in paper form to the Congressional Grants Division; sometimes forms are submitted as scanned PDF attachment from grantees to Division staff.
d. What are the interconnections with other systems or projects?
See responses to (c) above.
|
|
This is not a new system. The information collections is ongoing as semi annual reports are due by grantees twice a year.
If this is a new system, information collection, or project, specify the expected production date.
N/A
If an existing system, information collection, or project, specify the date of production.
Applications have been submitted through grants.gov since 2008. All other collections were formally established in 2003.
QUESTION 3: Does this system, information collection, or project collect personal identifiers/sensitive information
YES
|
NO
|
Does the system, information collection, or project collect personal/sensitive information? (e.g. name, address, personal email address, gender/sex, race/ethnicity, income/financial data, employment history, medical history, Social Security Number, Tax Identification Number, Employee Identification Number, FHA Case Number). Includes PII that may be part of a registration process?
|
If yes, specific data sets collected or provided, and the legal authorities, arrangement, and/or agreement authorize the collection of information (i.e. must include authorities that cover all information collection activities, including Social Security Numbers)?
The Department uses OMB approved standard forms for the collection of much of this information. The SF-424 the Standard Application Form for Federal Assistance, requires the use of grantee tax identification numbers. Standard Form 1199A, the Direct Deposit Sign Up form requires grantee tax identification numbers as well as banking account information. The LOCCS Voice Response System Access Authorization form (HUD-27054) requires grantee tax identification numbers as well as social security numbers of both the individual receiving direct access to LOCCS, as well as the official approving that individual’s access for LOCCS. The form states:
The Housing and Community Development Act of 1987, 42 U.S.C. 3543 authorizes HUD to collect the SSN. The purpose of the data is to safeguard the Line of Credit Control System (LOCCS) from unauthorized access. The data are used to ensure that individuals who no longer require access to LOCCS have their access capability promptly deleted. Provision of the SSN is mandatory. HUD uses it as a unique identifier for safeguarding the LOCCS form unauthorized access. This information will not be otherwise disclosed or released outside of HUD, except as permitted or required by law.
QUESTION 4: Does the information about individuals identify particular individuals (i.e., is the information linked or linkable to specific individuals, often referred to as personally identifiable information?)
Yes, see response to question 3 above.
QUESTION 5: What type of Notice(s) are provided to the individual on the scope of information collected, the opportunity to consent to uses of said information, the opportunity to decline to provide information. (A notice may include a posted privacy policy, a Privacy Act notice on form(s), and/or a system of records notice published in the Federal Register.)
The LOCCS Voice Response System Access Authorization form (HUD-27054) contains the Privacy Act Statement cited above, and attached.
|
Provision of the SSN is mandatory for access the LOCCS (Line of Credit Control System).
|
Submission of the form constitutes consent. |
QUESTION 6: Is there a Certification & Accreditation record for your system? (This question does not apply to Information Collection Requests) |
||||||||
Any such system would be under the auspices of the DHHS for grants.gov or HUD Office of CFO for the LOCCS Access Authorization form collection.
Specify below the systems categorization. If not available identify the FISMA-reported system whose Certification and Accreditation covers this system.
<<ADD ANSWER HERE>>
|
||||||||
Confidentiality |
|
Low |
|
Moderate |
|
High |
|
Undefined |
Integrity |
|
Low |
|
Moderate |
|
High |
|
Undefined |
Availability |
|
Low |
|
Moderate |
|
High |
|
Undefined |
SECTION II - The Entire IPA should be completed for New Systems or Projects. If this is an Existing System or Project Complete Only Complete This Section.
QUESTION 1: When was the system, information collection, or project developed?
The Congressional Grants Division has used the government-wide grants.gov system since 2008 for the submission of applications. All other elements of the collection have been in place since 1998.
QUESTION 2: If an existing system, information collection, or project, has the system or project undergone any changes since April 17, 2003?
The Congressional Grants Division began using the grants.gov system in 2008.
QUESTION 3: If an existing system, information collection, or project, has the system or project, explain the changes the system or project will be undergoing as part of this renewal/update process.
<<ADD ANSWER HERE>>
QUESTION 4: Do the changes to the system, information collection, or project involve a change in the type of records maintained, the individuals on whom records are maintained, or the use or dissemination of information from the system?
Grants.gov provides a secure environment for the receipt of applications. All
Other elements of the collection remain largely paper based.
QUESTION 5: Please indicate if any of the following changes to the system or project have occurred: (Mark all boxes that apply.)
|
A conversion from paper-based records to an electronic system.
|
|
A change from information in a format that is anonymous or non-identifiable to a format that is identifiable to particular individuals.
|
|
A new use of an IT system, including application of a new technology that changes how information in identifiable form is managed. (For example, a change that would create a more open environment and /or avenue for exposure of data that previously did not exist.)
|
|
A change that results in information in identifiable form being merged, centralized, or matched with other databases.
|
|
A new method of authenticating the use of an access to information in the identifiable form by members of the public.
|
|
A systematic incorporation of databases of information in identifiable form purchased or obtained from commercial or public sources.
|
|
A new interagency use of shared agency function that results in new uses or exchanges of information in identifiable form.
|
|
A change that results in a new use of disclosure of information in identifiable form.
|
|
A change that results in new items of information in identifiable form being added into the system. |
QUESTION 6: Does a PIA for the system or project already exist? If yes, please provide a copy of the notice as an appendix.
No PIA has been previously prepared for this collection.
(To be completed by the Privacy Office)
|
This is NOT a privacy sensitive system, information collection or project – the system, information collection, or project contains no personal identifiers/sensitive information
|
|
This IS a Privacy Sensitive Project |
|
IPA sufficient at this time
|
|
A PIA is required |
|
The existing PIA requires an update/deletion |
|
A SORN is required |
|
The existing SORN requires an update or should be deleted |
|
Other |
COMMENTS:
|
|
DATE REVIEWED: |
PRIVACY REVIEWING OFFICIALS NAME: |
The IPA is “not” an official document until all signatures are obtained for this page.
By signing below the Program Office or Support Office attest that the content captured in this document is accurate and complete and meet the requirements of applicable federal regulations and HUD internal policies.
|
|
|
|
|
|
SYSTEM OR PROJECT OWNERHolly A. Kelly, Acting Director
|
|
Date |
Congressional Grants Division |
|
|
|
|
|
|
|
|
|
|
|
PROGRAM AREA MANAGERHolly A. Kelly, Acting Director |
|
Date |
Congressional Grants Division |
|
|
|
|
|
|
|
|
|
|
|
CHIEF PRIVACY OFFICER,<<INSERT NAME>> |
|
Date |
Office of the Chief Information Officer |
|
|
U. S. Department of Housing and Urban Development |
|
|
| File Type | application/msword |
| File Title | Attached for your immediate attention is the electronic copy of the SSN and PII memorandum distributed to Departmental Principle |
| Author | Nadine Craft |
| Last Modified By | Urnell Johnson-Spears |
| File Modified | 2013-12-27 |
| File Created | 2013-12-27 |