Privacy Threshold Analysis (PTA)

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 1 of 8

PRIVACY THRESHOLD ANALYSIS (PTA)
This form is used to determine whether
a Privacy Impact Assessment is required.

Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is required under
the E-Government Act of 2002 and the Homeland Security Act of 2002.
Please complete this form and send it to your component Privacy Office. If you do not have a component
Privacy Office, please send the PTA to the DHS Privacy Office:
Senior Director, Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]

Upon receipt from your component Privacy Office, the DHS Privacy Office will review this form. If a
PIA is required, the DHS Privacy Office will send you a copy of the Official Privacy Impact Assessment
Guide and accompanying Template to complete and return.
A copy of the Guide and Template is available on the DHS Privacy Office website,
www.dhs.gov/privacy, on DHSConnect and directly from the DHS Privacy Office via email:
[email protected], phone: 202-343-1717.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 2 of 8

PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:

FEMA Form 127-0-1 Debt Collection Financial Statement (1660-0011)

Component:

Federal Emergency
Management Agency (FEMA)

Office or
Program:

OCFO

Xacta FISMA
Name (if
applicable):

Unknown

Xacta FISMA
Number (if
applicable):

Unknown

Type of Project or
Program:

Form or other Information
Collection

Project or
program
status:

Update

Date first
developed:
Date of last PTA
update

October 1, 2000

Pilot launch
date:

N/A

June 6, 2011

Pilot end date:

N/A

ATO Status (if
applicable)

Choose an item.

ATO
expiration date
(if applicable):

N/A

PROJECT OR PROGRAM MANAGER
Name:

Mary K Schneider

Office:

OCFO FEMA Finance Center Title:

Chief, Debt Mgmt Unit

Phone:

(540) 504-1649

[email protected]

Email:

INFORMATION SYSTEM SECURITY OFFICER (ISSO) (IF APPLICABLE)
Name:

N/A

Phone:

N/A

Email:

N/A

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 3 of 8

SPECIFIC PTA QUESTIONS
1. Reason for submitting the PTA: Renewal PTA
Please provide a general description of the project and its purpose in a way a non-technical person could
understand. If this is an updated PTA, please describe what changes and/or upgrades that are triggering
the update to this PTA. If this is a renewal please state whether or not there were any changes to the
project, program, or system since the last version.
FEMA Finance Center (FFC) sends FEMA Form 127-0-1, “Debt Collection Financial Statement” to
individuals in order to collect debts by installment payments or reach a repayment settlement. FFC has
two methods of corresponding with debtors—traditional mail and fax. If a debtor chooses to utilize
traditional mail, the mailroom scans the documentation to the National Emergency Management
Information System (NEMIS) module.
If the debtor chooses to fax their correspondence, FEMA documents are received as an electronic version
through a fax communication server and uploaded into the NEMIS module. FEMA FFC also uses the
form to locate assets if payment agreements are later defaulted, or if the debts are referred to the
Department of Treasury (DOT) or the Department of Justice (DOJ) where the debt exceeds $100,000 for
collection, offset programs, litigation, and/or debt compromises or terminations.

2. Does this system employ any of the
following technologies:
If you are using any of these technologies and
want coverage under the respective PIA for that
technology please stop here and contact the DHS
Privacy Office for further guidance.

Closed Circuit Television (CCTV)
Social Media
Web portal1 (e.g., SharePoint)
Contact Lists
None of these

3. From whom does the Project or
Program collect, maintain, use, or
disseminate information?
Please check all that apply.

1

This program does not collect any personally
identifiable information2
Members of the public
DHS employees/contractors (list components):
FEMA

Informational and collaboration-based portals in operation at DHS and its components that collect, use, maintain, and share
limited personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who
seek to gain access to the portal.
2
DHS defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 4 of 8

Contractors working on behalf of DHS
Employees of other federal agencies

4. What specific information about individuals is collected, generated or retained?
Please provide a specific description of information that is collected, generated, or retained (such as
names, addresses, emails, etc.) for each category of individuals.


Name;



Address;



Date of Birth;



SSN;



Name of employer;



Employer address;



Marital status;



Number of dependents;



Housing situation;



Real estate and car ownerships;



All sources of income;



Names of banks and account balances; and



Names of creditors (including the amounts owed, monthly payment amounts, and amounts past
due).

4(a) Does the project, program, or system
retrieve information by personal identifier?
4(b) Does the project, program, or system
use Social Security Numbers (SSN)?
4(c) If yes, please provide the specific legal
basis and purpose for the collection of
SSNs:

No. Please continue to next question.
Yes. If yes, please list all personal identifiers
used:
No.
Yes.
31 U.S.C. § 7701 authorizes FEMA to collect and
maintain SSNs in order to facilitate the collection of
delinquent debt.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 5 of 8

31 U.S.C. § 3711 requires FEMA to transfer
delinquent debts older than 180 days to Treasury for
collection, and once submitted to Treasury the SSN
is used for computer matching against sources of
payments due to the debtor for possible offsetting.

4(d) If yes, please describe the uses of the
SSNs within the project, program, or
system:

4(e) If this project, program, or system is
an information technology/system, does it
relate solely to infrastructure?

This is a debt collection activity. SSNs are collected
for use by: (1) FEMA to corroborate information
when debtors request debt repayment by
installment, (2) U.S. Department of Treasury to
locate individual records if offset activity is
undertaken by them, and (3) FFC to report debt
forgiveness as income required on Form 1099C
Cancellation of Debt, should the debt be
compromised or terminated.
No. Please continue to next question.
Yes. If a log kept of communication traffic,
please answer the following question.

For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?
4(f) If header or payload data3 is stored in the communication traffic log, please detail the data
elements stored.
N/A

5. Does this project, program, or system
connect, receive, or share PII with any
other DHS programs or systems4?

6. Does this project, program, or system
connect, receive, or share PII with any
external (non-DHS) partners or
3

No.
Yes. If yes, please list:
FEMA NEMIS (National Emergency Management
Information System)
No.

When data is sent over the Internet, each unit transmitted includes both header information and the actual data being sent. The
header identifies the source and destination of the packet, while the actual data is referred to as the payload. Because header
information, or overhead data, is only used in the transmission process, it is stripped from the packet when it reaches its
destination. Therefore, the payload is the only data received by the destination system.
4
PII may be shared, received, or connected to other DHS systems directly, automatically, or by manual processes. Often, these
systems are listed as “interconnected systems” in Xacta.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 6 of 8

systems?

Yes. If yes, please list:
U.S. Department of Treasury & U.S. Department of
Justice
Existing
Please describe applicable information sharing
governance in place:

6(a) Is this external sharing pursuant to
new or existing information sharing
access agreement (MOU, MOA, LOI,
etc.)?

7. Does the project, program, or system
provide role-based training for
personnel who have access in addition
to annual privacy training required of
all DHS personnel?

DHS/FEMA may share this information on a caseby-case basis as required by law or as necessary for
a specific purpose, as described in the routine uses
found in the Accounts Receivable System of
Records Notice, DHS/ALL-008, (October 17, 2008,
73 FR 61885).

No. Completion of the form is self-explanatory.
Annual privacy training is a cyclical required
responsibility of all FEMA personnel with
adherence and oversight of management, and is not
the responsibility of the individual program as it
relates to this form.
Yes. If yes, please list:

8. Per NIST SP 800-53 Rev. 4, Appendix
J, does the project, program, or system
maintain an accounting of disclosures
of PII to individuals who have
requested access to their PII?
9. Is there a FIPS 199 determination?4

No. What steps will be taken to develop and
maintain the accounting: Disclosure
requests/records are handled through the source
system (NEMIS) and/or through the FEMA
Disclosure Office.
Yes. In what format is the accounting
maintained:
Unknown.
No.
Yes. Please indicate the determinations for each
of the following:
Confidentiality:
Low
Moderate

4

High

Undefined

FIPS 199 is the Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal
Information and Information Systems and is used to establish security categories of information systems.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 7 of 8

Integrity:
Low

Moderate

High

Undefined

Availability:
Low
Moderate

High

Undefined

PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:

LaKia Samuel

Date submitted to Component Privacy
Office:

April 11, 2014

Date submitted to DHS Privacy Office:

April 15, 2014

Component Privacy Office Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.


DHS/FEMA/PIA-027 – National Emergency Management Information System –
Individual Assistance (NEMIS-IA) Web based and Client-based Modules



DHS/ALL-008 - Department of Homeland Security Accounts Receivable System of
Records October 17, 2008, 73 FR 61885

(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:

Jameson Morgan

PCTS Workflow Number:

1016010

Date approved by DHS Privacy Office:

May 14, 2014

PTA Expiration Date

May 14, 2017
DESIGNATION
If “no” PTA adjudication is complete.

Privacy Sensitive System:

Yes

Category of System:

Form/Information Collection

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 8 of 8

If “other” is selected, please describe: Click here to enter text.
Determination:

PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
DHS Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact
your component PRA Officer.
A Records Schedule may be required. Contact your component Records
Officer.

System covered by existing PIA
PIA:

If covered by existing PIA, please list: DHS/FEMA/ PIA – 027 National Emergency
Management Information System-Individual Assistance (NEMIS-IA) Web-based and
Client-based Modules
System covered by existing SORN

SORN:

If covered by existing SORN, please list: DHS/ALL-008 - Department of Homeland
Security Accounts Receivable System of Records
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
The DHS Privacy Office agrees with the FEMA Privacy Office that Debt Collection Financial Statement
is a privacy sensitive system with coverage required under the DHS/FEMA/PIA – 027 NEMIS-IA PIA
and the DHS/ALL – 008 Accounts Receivable SORN. A Privacy Act Statement is also required per the
Privacy Act, Section e(3).
This PTA was submitted because the Debt Collection Financial Statement FORM collects PII from DHS
employees, contractors, and members of the public in order to collect debts by installment payments or
reach a repayment settlement.
The DHS/FEMA/PIA – 027 PIA allows FEMA to process information obtained from disaster recovery
assistance applications via the Disaster Assistance Improvement Program (DAIP)/Disaster Assistance
Call Center (DAC) system and uses business rules to detect and prevent ―duplication of benefits. The
DHS/ALL – 008 Accounts Receivable SORN allows DHS/FEMA to collect PII in order to to keep track
of debts owed to DHS.