Privacy Threshold Analysis (PTA)

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 1 of 9

PRIVACY THRESHOLD ANALYSIS (PTA)
This form is used to determine whether
a Privacy Impact Assessment is required.

Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is required under
the E-Government Act of 2002 and the Homeland Security Act of 2002.
Please complete this form and send it to your component Privacy Office. If you do not have a component
Privacy Office, please send the PTA to the DHS Privacy Office:
Senior Director, Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]

Upon receipt from your component Privacy Office, the DHS Privacy Office will review this form. If a
PIA is required, the DHS Privacy Office will send you a copy of the Official Privacy Impact Assessment
Guide and accompanying Template to complete and return.
A copy of the Guide and Template is available on the DHS Privacy Office website,
www.dhs.gov/privacy, on DHSConnect and directly from the DHS Privacy Office via email:
[email protected], phone: 202-343-1717.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 2 of 9

PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:

Threat and Hazard Identification and Risk Assessment (THIRA) and States
Preparedness Report (SPR) Unified Reporting Tool (1660-0131)

Component:

Federal Emergency
Management Agency (FEMA)

Office or
Program:

National Preparedness
Assessment Division

Xacta FISMA
Name (if
applicable):

Click here to enter text.

Xacta FISMA
Number (if
applicable):

Click here to enter text.

Type of Project or
Program:

Form or other Information
Collection

Project or
program
status:

Modification

Date first
developed:
Date of last PTA
update

August 28, 2010

Pilot launch
date:

August 28, 2010

December 11, 2014

Pilot end date:

August 31, 2015

ATO Status (if
applicable)

Choose an item.

ATO
expiration date
(if applicable):

Click here to enter a date.

PROJECT OR PROGRAM MANAGER
Name:

Daniel Paulette Chapman

Office:

National Preparedness
Assessment Division

Title:

Program Analyst

Phone:

202-786-9670

Email:

[email protected]
hs.gov

INFORMATION SYSTEM SECURITY OFFICER (ISSO) (IF APPLICABLE)
Name:

Click here to enter text.

Phone:

Click here to enter text.

Email:

Click here to enter text.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 3 of 9

SPECIFIC PTA QUESTIONS
1. Reason for submitting the PTA: Updated PTA

The Threat and Hazard Identification and Risk Assessment (THIRA) and State Preparedness
Report (SPR) Unified Reporting Tool (Office of Management and Budget (OMB) 1660-0131)
has been revised since the last PTA was approved on December 11, 2014. FEMA’s revision of
this collection includes the use of a telephonic survey to assess customer service and ease of use
of the collection’s Excel tool. FEMA uses a 1-800 number and script to facilitate the survey.
As a result of this revision, FEMA does not collect any additional personally identifiable
information. However, PII is used to send out calendar invitations via email for the telephonic
survey.
This collection characterizes the first two components of the National Preparedness System:
Identifying and Assessing Risk and Estimating Capability Requirements. The collection serves
as a foundation for the National Preparedness System, and represents the first steps of the
nation’s process for achieving its National Preparedness Goal of a secure and resilient nation.
Respondents are identified by State Authorizing Agency’s (SAA) from each state, territory, tribe
or Urban Area who are responsible for assigning points of contact (POC) for the THIRA and
SPR. A POC is an individual assigned responsibility for the THIRA/SPR by the SAA. The
approving authority is the person in the state who approves the information contained in the SPR.
The approving authority may be the State Homeland Security Director, State Emergency
Management Director, or the Governor.
The collection consists of two major steps. First, respondents establish capability targets based
on their jurisdiction’s own threats and hazards, and estimate the resources needed to meet the
capability targets in a process called the THIRA. Second, respondents estimate their current
capability levels against those targets in the SPR. Combined, these steps enable respondents to
understand and improve their preparedness, and enable the federal government to understand
how it can most effectively contribute to national preparedness.
FEMA’s Federal Preparedness Coordinator emails an Excel form that serves as the collection
mechanism to the SAA. The SAA returns the form via email to the FEMA Federal Preparedness
Coordinators by December 31 annually. Once the Excel forms are submitted to FEMA, FEMA
uploads them to SharePoint and uses its SharePoint site as a file storage mechanism. FEMA
consolidates all information, except POC information, into one Excel database from which
FEMA conducts its analysis. POC information stays in the original Excel form and is not
consolidated because it is not necessary for analysis. FEMA stores both the individual Excel
forms and the consolidated Excel form on SharePoint. FEMA annually collects this information,
and analyzes the data, as necessary, for its reports to Congress and the President.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 4 of 9

The collection is broken down between the THIRA and SPR to provide a more accurate
assessment. Information collected in this form enables state, local, and tribal jurisdictions, and
the federal government, to:
• understand the risks entities face from all threats and hazards;
• estimate the capabilities and resources they need to manage those risks;
• assess their current capability levels against their targeted capability levels; and,
• identify gaps between their current capabilities and the capabilities they need.
The assessment goal and collection of PII remains the same, however, FEMA revises this
collection to include non-PII survey questions and responses and use of PII to facilitate contact
with individuals to complete the telephonic survey.
Basic contact information is collected from Points of Contact (POCs) and Approving
Authorities.
2. Does this system employ any of the
following technologies:
If you are using any of these technologies and
want coverage under the respective PIA for that
technology please stop here and contact the DHS
Privacy Office for further guidance.

Closed Circuit Television (CCTV)
Social Media
Web portal 1 (e.g., SharePoint)
Contact Lists
None of these

3. From whom does the Project or
Program collect, maintain, use, or
disseminate information?
Please check all that apply.

This program does not collect any personally
identifiable information 2
Members of the public
DHS employees/contractors (list components):
Contractors working on behalf of DHS
Employees of other federal agencies

1

Informational and collaboration-based portals in operation at DHS and its components that collect, use, maintain, and share
limited personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who
seek to gain access to the portal.
2
DHS defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 5 of 9

4. What specific information about individuals is collected, generated or retained?

Information from POCs:
• Full Name
• Email Address
• Telephone Number
• Title
• Organization Name
• Organization Address
• Survey/Questionnaire Responses
Information from Approving Authority:
• Full Name
• Email Address
• Telephone Number
• Title
• Organization Name
• Organization Address
• Survey/Questionnaire Responses
Information from Sharepoint Site Users (FEMA Staff):
• Full Name
• Email Address
• Username
4(a) Does the project, program, or system
retrieve information by personal identifier?
4(b) Does the project, program, or system
use Social Security Numbers (SSN)?
4(c) If yes, please provide the specific legal
basis and purpose for the collection of
SSNs:
4(d) If yes, please describe the uses of the
SSNs within the project, program, or
system:

No. Please continue to next question.
Yes. If yes, please list all personal identifiers
used:
No.
Yes.
Click here to enter text.

Click here to enter text.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 6 of 9

4(e) If this project, program, or system is
an information technology/system, does it
relate solely to infrastructure?

No. Please continue to next question.
Yes. If a log kept of communication traffic,
please answer the following question.

For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?
4(f) If header or payload data 3 is stored in the communication traffic log, please detail the data
elements stored.
Click here to enter text.

5. Does this project, program, or system
connect, receive, or share PII with any
other DHS programs or systems 4?

No.
Yes. If yes, please list:
Click here to enter text.

6. Does this project, program, or system
connect, receive, or share PII with any
external (non-DHS) partners or
systems?
6(a) Is this external sharing pursuant to
new or existing information sharing
access agreement (MOU, MOA, LOI,
etc.)?
7. Does the project, program, or system
provide role-based training for
personnel who have access in addition
to annual privacy training required of
all DHS personnel?
8. Per NIST SP 800-53 Rev. 4, Appendix
J, does the project, program, or system
maintain an accounting of disclosures

No.
Yes. If yes, please list:
Click here to enter text.
Choose an item.
Please describe applicable information sharing
governance in place:

No.
Yes. If yes, please list:

No. What steps will be taken to develop and
maintain the accounting:

3
When data is sent over the Internet, each unit transmitted includes both header information and the actual data being sent. The
header identifies the source and destination of the packet, while the actual data is referred to as the payload. Because header
information, or overhead data, is only used in the transmission process, it is stripped from the packet when it reaches its destination.
Therefore, the payload is the only data received by the destination system.
4
PII may be shared, received, or connected to other DHS systems directly, automatically, or by manual processes. Often, these
systems are listed as “interconnected systems” in Xacta.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 7 of 9

of PII to individuals who have
requested access to their PII?
9. Is there a FIPS 199 determination? 4

Yes. In what format is the accounting
maintained:
Unknown.
No.
Yes. Please indicate the determinations for each
of the following:
Confidentiality:
Low
Moderate

High

Undefined

Integrity:
Low

Moderate

High

Undefined

Availability:
Low
Moderate

High

Undefined

PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:

LeVar J. Sykes

Date submitted to Component Privacy
Office:

May 22, 2015

Date submitted to DHS Privacy Office:

May 22, 2015

Component Privacy Office Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
FEMA recommends that this is a privacy sensitive ICR because it collects basic contact information.
Since the information collected is entered into an internal FEMA SharePoint site, FEMA recommends
that this ICR be covered by the DHS/ALL/PIA-037 - DHS SharePoint and Collaboration Sites PIA; and
DHS/ALL-004 - General Information Technology Access Account Records System (GITAARS) SORN
(September 29, 2009, 74 FR 49882).
(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:

4

Eric M. Leckey

FIPS 199 is the Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal
Information and Information Systems and is used to establish security categories of information systems.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 8 of 9

PCTS Workflow Number:

1090012

Date approved by DHS Privacy Office:

June 1, 2015

PTA Expiration Date

June 1, 2018
DESIGNATION

Privacy Sensitive System:
Category of System:
Determination:

Yes

If “no” PTA adjudication is complete.

Form/Information Collection
If “other” is selected, please describe: Click here to enter text.
PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
DHS Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact
your component PRA Officer.
A Records Schedule may be required. Contact your component Records
Officer.

System covered by existing PIA
PIA:

If covered by existing PIA, please list: DHS/ALL/PIA-037 - DHS SharePoint and
Collaboration Sites
System covered by existing SORN

SORN:

If covered by existing SORN, please list: DHS/ALL-004 - General Information Technology
Access Account Records System (GITAARS)
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
This is a privacy sensitive collection that collects basic contact information from POCs, Approving
Authorities, and FEMA staff. This ICR is covered by the DHS/ALL/PIA-037 - DHS SharePoint and
Collaboration Sites PIA and DHS/ALL-004 - General Information Technology Access Account Records
System (GITAARS) SORN (September 29, 2009, 74 FR 49882).
The collection serves as a foundation for the National Preparedness System, and represents the first steps
of the nation’s process for achieving its National Preparedness Goal of a secure and resilient nation. This

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 9 of 9

PTA is being updated because an Excel tool replaces the previously used online tool; and because
respondents now include Urban Areas and Tribal Governments. No further information is required at this
time.