Download:
pdf |
pdfPrivacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 1 of 7
PRIVACY THRESHOLD ANALYSIS (PTA)
This form is used to determine whether
a Privacy Impact Assessment is required.
Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is required under
the E-Government Act of 2002 and the Homeland Security Act of 2002.
Please complete this form and send it to your component Privacy Office. If you do not have a component
Privacy Office, please send the PTA to the DHS Privacy Office:
Senior Director, Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]
Upon receipt from your component Privacy Office, the DHS Privacy Office will review this form. If a
PIA is required, the DHS Privacy Office will send you a copy of the Official Privacy Impact Assessment
Guide and accompanying Template to complete and return.
A copy of the Guide and Template is available on the DHS Privacy Office website,
www.dhs.gov/privacy, on DHSConnect and directly from the DHS Privacy Office via email:
[email protected], phone: 202-343-1717.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 2 of 7
PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:
Write-Your-Own (WYO) Program
Component:
Federal Emergency
Management Agency (FEMA)
Office or
Program:
Federal Insurance and
Mitigation Administration
(FIMA)
Xacta FISMA
Name (if
applicable):
Click here to enter text.
Xacta FISMA
Number (if
applicable):
Click here to enter text.
Type of Project or
Program:
Form or other Information
Collection
Project or
program
status:
Existing
Date first
developed:
Date of last PTA
update
October 1, 1986
Pilot launch
date:
Click here to enter a date.
Click here to enter a date.
Pilot end date:
Click here to enter a date.
ATO Status (if
applicable)
Choose an item.
ATO
expiration date
(if applicable):
Click here to enter a date.
PROJECT OR PROGRAM MANAGER
Name:
Susan Bernstein
Office:
FIMA
Title:
Branch Chief
Phone:
202-212-2113
Email:
[email protected]
ov
INFORMATION SYSTEM SECURITY OFFICER (ISSO) (IF APPLICABLE)
Name:
Click here to enter text.
Phone:
Click here to enter text.
Email:
Click here to enter text.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 3 of 7
SPECIFIC PTA QUESTIONS
1. Reason for submitting the PTA: New PTA
This is a new PTA for the National Flood Insurance Program (NFIP) Write Your Own (WYO) Program.
The Federal Emergency Management Agency (FEMA) completes this PTA as part of the Office of
Management and Budget’s (OMB) Information Collection Request (ICR) renewal process, which is part
of OMB ICR No. 1660-0020.
FEMA and the NFIP work with individual private sector insurance companies that are licensed to engage
in the business of property insurance to sell flood insurance to the public using their customary business
practices. To ensure that policyholders’ monies are accounted for and appropriately expended, FIMA
implemented a Financial Control Plan (FCP) under FEMA’s regulation at 44 C.F.R. § 62.23(f) and
Appendix B to Part 62. This plan requires that each WYO Company submit financial data on a monthly
basis into the NFIP Bureau and Statistical Agent (BSA) and to the FEMA Office of the Chief Financial
Officer monthly. The monthly submission includes financial statement exhibits containing all of their
financial activities for each month.
The NFIP provides the WYO Companies with an Excel software application to complete and return with
their financial data. The WYO representative who completes the Excel-based form provides FEMA their
name and contact telephone number along with aggregate financial information such as the total dollar
amount of claims paid out to NFIP policyholders. Information that is provided as part of this collection
may be included in the FEMA National Flood Insurance Program (NFIP) Information Technology
Systems (ITS) which has privacy compliance coverage under the DHS/FEMA/PIA – 11 NFIPS ITS
Privacy Impact Assessment (PIA) and the DHS/FEMA – 003 NFIP Files System of Records Notice
(SORN).
2. Does this system employ any of the
following technologies:
If you are using any of these technologies and
want coverage under the respective PIA for that
technology please stop here and contact the DHS
Privacy Office for further guidance.
Closed Circuit Television (CCTV)
Social Media
Web portal 1 (e.g., SharePoint)
Contact Lists
None of these
3. From whom does the Project or
Program collect, maintain, use, or
1
This program does not collect any personally
identifiable information 2
Informational and collaboration-based portals in operation at DHS and its components that collect, use, maintain, and share
limited personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who
seek to gain access to the portal.
2
DHS defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 4 of 7
disseminate information?
Please check all that apply.
Members of the public
DHS employees/contractors (list components):
FEMA CFO
Contractors working on behalf of DHS
Employees of other federal agencies
4. What specific information about individuals is collected, generated or retained?
WYO company’s representatives provide FEMA their name and phone number for correspondence
purposes.
No. Please continue to next question.
4(a) Does the project, program, or system
Yes. If yes, please list all personal identifiers
retrieve information by personal identifier?
used:
4(b) Does the project, program, or system
No.
use Social Security Numbers (SSN)?
Yes.
4(c) If yes, please provide the specific legal
Click here to enter text.
basis and purpose for the collection of
SSNs:
4(d) If yes, please describe the uses of the
Click here to enter text.
SSNs within the project, program, or
system:
4(e) If this project, program, or system is
No. Please continue to next question.
an information technology/system, does it
relate solely to infrastructure?
Yes. If a log kept of communication traffic,
please answer the following question.
For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?
4(f) If header or payload data 3 is stored in the communication traffic log, please detail the data
elements stored.
Click here to enter text.
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.
3
When data is sent over the Internet, each unit transmitted includes both header information and the actual data being sent. The
header identifies the source and destination of the packet, while the actual data is referred to as the payload. Because header
information, or overhead data, is only used in the transmission process, it is stripped from the packet when it reaches its
destination. Therefore, the payload is the only data received by the destination system.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 5 of 7
5. Does this project, program, or system
connect, receive, or share PII with any
other DHS programs or systems 4?
6. Does this project, program, or system
connect, receive, or share PII with any
external (non-DHS) partners or
systems?
6(a) Is this external sharing pursuant to
new or existing information sharing
access agreement (MOU, MOA, LOI,
etc.)?
7. Does the project, program, or system
provide role-based training for
personnel who have access in addition
to annual privacy training required of
all DHS personnel?
8. Per NIST SP 800-53 Rev. 4, Appendix
J, does the project, program, or system
maintain an accounting of disclosures
of PII to individuals/agencies who have
requested access to their PII?
9. Is there a FIPS 199 determination? 4
No.
Yes. If yes, please list:
FEMA Office of the Chief Financial Officer
(OCFO).
No.
Yes. If yes, please list:
Click here to enter text.
Choose an item.
Please describe applicable information sharing
governance in place:
No.
Yes. If yes, please list:
No. What steps will be taken to develop and
maintain the accounting:
Yes. In what format is the accounting
maintained: FEMA’s Disclosure Office tracks all
disclosures of information submitted through the
DHS/FEMA FOIA and PA request process.
Unknown.
No.
Yes. Please indicate the determinations for each
of the following:
Confidentiality:
Low
Moderate
4
High
Undefined
PII may be shared, received, or connected to other DHS systems directly, automatically, or by manual processes. Often, these
systems are listed as “interconnected systems” in Xacta.
4
FIPS 199 is the Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal
Information and Information Systems and is used to establish security categories of information systems.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 6 of 7
Integrity:
Low
Moderate
High
Undefined
Availability:
Low
Moderate
High
Undefined
PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:
LeVar J. Sykes
Date submitted to Component Privacy
Office:
Click here to enter a date.
Date submitted to DHS Privacy Office:
February 23, 2015
Component Privacy Office Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
The FEMA Privacy Office recommends the following coverage:
PIA: DHS/FEMA/PIA – 011 National Flood Insurance Program (NFIP) Information Technology
Systems (ITS)
SORN: N/A.
(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:
Eric M. Leckey
PCTS Workflow Number:
1068683
Date approved by DHS Privacy Office:
February 24, 2015
PTA Expiration Date
February 24, 2018
DESIGNATION
Privacy Sensitive System:
Category of System:
Determination:
Yes
If “no” PTA adjudication is complete.
Form/Information Collection
If “other” is selected, please describe: Click here to enter text.
PTA sufficient at this time.
Privacy compliance documentation determination in progress.
�Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis
Version number: 01-2014
Page 7 of 7
New information sharing arrangement is required.
DHS Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact
your component PRA Officer.
A Records Schedule may be required. Contact your component Records
Officer.
System covered by existing PIA
PIA:
SORN:
If covered by existing PIA, please list: DHS/FEMA/PIA – 11 National Flood Insurance
Program (NFIP) Information Technology Systems (ITS)
Choose an item.
If covered by existing SORN, please list:
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
The WYO Program (OMB ICR 1660-0020) is a privacy sensitive system that collects minimal PII from
insurance companies and insurance brokers’ representatives that participate in the WYO program. In
accordance with the E-Government Act this project requires a PIA and is covered under the
DHS/FEMA/PIA – 011 National Flood Insurance Program Information Technology Systems (NFIP ITS)
PIA. This project retrieves records by insurance company or insurance broker information and does not
retrieve information by PII. In accordance with the Privacy Act, this project is not a system of records
and does not require a SORN.
�
| File Type | application/pdf |
| File Title | DHS PRIVACY OFFICE |
| Author | marilyn.powell |
| File Modified | 2015-02-25 |
| File Created | 2015-02-24 |