Pta

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 1 of 8

PRIVACY THRESHOLD ANALYSIS (PTA)
This form is used to determine whether
a Privacy Impact Assessment is required.

Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is required under
the E-Government Act of 2002 and the Homeland Security Act of 2002.
Please complete this form and send it to your component Privacy Office. If you do not have a component
Privacy Office, please send the PTA to the DHS Privacy Office:
Senior Director, Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]

Upon receipt from your component Privacy Office, the DHS Privacy Office will review this form. If a
PIA is required, the DHS Privacy Office will send you a copy of the Official Privacy Impact Assessment
Guide and accompanying Template to complete and return.
A copy of the Guide and Template is available on the DHS Privacy Office website,
www.dhs.gov/privacy, on DHSConnect and directly from the DHS Privacy Office via email:
[email protected], phone: 202-343-1717.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 2 of 8

PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:

Hazard Mitigation Grant Program (HMGP)

Component:

Federal Emergency
Management Agency (FEMA)

Office or
Program:

Federal Insurance and
Mitigation Administration
(FIMA)

Xacta FISMA
Name (if
applicable):

Hazard Mitigation Grant
Program (HMGP)

Xacta FISMA
Number (if
applicable):

FEM-06020-MAJ-06020

IT System

Project or
program
status:

Operational

Date first
developed:
Date of last PTA
update

August 30, 1998

Pilot launch
date:

N/A

December 9, 2011

Pilot end date:

N/A

ATO Status (if
applicable)

Complete

ATO
expiration date
(if applicable):

July 9, 2015

Type of Project or
Program:

PROJECT OR PROGRAM MANAGER
Name:

Sam Winningham

Office:

FIMA

Title:

HMGP System Owner

Phone:

202-646-3678

Email:

[email protected].
gov

INFORMATION SYSTEM SECURITY OFFICER (ISSO) (IF APPLICABLE)
Name:

Sador Gebre

Phone:

202-646-3057

Email:

[email protected]
a.dhs.gov

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 3 of 8

SPECIFIC PTA QUESTIONS
1. Reason for submitting the PTA: Renewal PTA
The Federal Emergency Management Agency’s (FEMA) Federal Insurance and Mitigation
Administration (FIMA) administers grant programs for states and localities that seek to implement
activities and projects in order to reduce or eliminate risk of future damage to life or property. The
Hazard Mitigation Grant Program (HMGP) is one such program. The key purpose of HMGP is to ensure
that the opportunity to take critical mitigation measures to reduce the risk of loss of life and property from
future disasters is not lost during the reconstruction process following a disaster. This PTA is being
conducted pursuant to the triennial review requirement. There have been no changes or updates to the
system that impact FEMA’s collection, use, maintenance, or sharing of personally identifiable
information (PII) since the last PTA was approved by the DHS Privacy Office on December 9, 2011.
HMGP information is collected and maintained in the HMGP IT system. The IT system collects and
stores grant applications for applicants and sub-applicants associated with a Presidential major disaster
declaration. Applicants are the states involved in the disaster. Sub-applicants can include state agencies,
Indian Tribal governments, local governments or communities, and private non-profit organizations. As
part of the application process, applicants/co-applicants provide property and property owner’s
information as supporting documentation. Applicants/co-applicants submit property owner information,
which includes PII, with the consent of the property owner. The application information includes
notations and reports of decisions from insurance, disaster, or similar financial aid and/or income from
other Federal and State agencies; insurance companies; employer; bank; financial or credit data service;
and public or private entities as they relate to payments and/or financial assistance received by individual
property owners for property included in the grant application. HMGP shares this information with the
FEMA Enterprise Data Warehouse (EDW) for storage and report creation purposes. The FEMA EDW is
covered under the DHS/FEMA/PIA-026 – Operational Data Store and Enterprise Data Warehouse
Privacy Impact Assessment (PIA).
2. Does this system employ any of the
following technologies:
If you are using any of these technologies and
want coverage under the respective PIA for that
technology please stop here and contact the DHS
Privacy Office for further guidance.

Closed Circuit Television (CCTV)
Social Media
Web portal 1 (e.g., SharePoint)
Contact Lists
None of these

3. From whom does the Project or
Program collect, maintain, use, or
1

This program does not collect any personally
identifiable information 2

Informational and collaboration-based portals in operation at DHS and its components that collect, use, maintain, and share
limited personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who
seek to gain access to the portal.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 4 of 8

disseminate information?
Please check all that apply.

Members of the public
DHS employees/contractors (list components):
Contractors working on behalf of DHS
Employees of other federal agencies

4. What specific information about individuals is collected, generated or retained?
The PII that may be collected or retained includes:
Applicant/co-applicant (public):
• property owner/co-owner name(s)
• title holder
• damaged property address
• telephone numbers—home, office, cell
• mailing address
• status regarding flood insurance
• National Flood Insurance Program (NFIP) policy number
• insurance policy provider for the property proposed to be mitigated with FEMA funds
• signature
• Governor’s authorized representative name and signature
• grant applicant organization point of contact (POC)— name, organization, office phone number,
office mailing address, and email address
FEMA employees or contractors: Full name
4(a) Does the project, program, or system
retrieve information by personal identifier?
4(b) Does the project, program, or system
use Social Security Numbers (SSN)?
4(c) If yes, please provide the specific legal
basis and purpose for the collection of
2

No. Please continue to next question.
Yes. If yes, please list all personal identifiers
used:
No.
Yes.
N/A

DHS defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 5 of 8

SSNs:
4(d) If yes, please describe the uses of the
SSNs within the project, program, or
system:
4(e) If this project, program, or system is
an information technology/system, does it
relate solely to infrastructure?

N/A

No. Please continue to next question.
Yes. If a log kept of communication traffic,
please answer the following question.

For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?
4(f) If header or payload data 3 is stored in the communication traffic log, please detail the data
elements stored.
N/A

5. Does this project, program, or system
connect, receive, or share PII with any
other DHS programs or systems 4?

No.
Yes. If yes, please list:
FEMA’s Enterprise Date Warehouse (EDW)

6. Does this project, program, or system
connect, receive, or share PII with any
external (non-DHS) partners or
systems?
6(a) Is this external sharing pursuant to
new or existing information sharing
access agreement (MOU, MOA, LOI,
etc.)?

No.
Yes. If yes, please list:

Choose an item.
Please describe applicable information sharing
governance in place:
N/A

7. Does the project, program, or system
provide role-based training for
personnel who have access in addition
to annual privacy training required of
all DHS personnel?
3

No.
Yes. If yes, please list:

When data is sent over the Internet, each unit transmitted includes both header information and the actual data being sent. The
header identifies the source and destination of the packet, while the actual data is referred to as the payload. Because header
information, or overhead data, is only used in the transmission process, it is stripped from the packet when it reaches its
destination. Therefore, the payload is the only data received by the destination system.
4
PII may be shared, received, or connected to other DHS systems directly, automatically, or by manual processes. Often, these
systems are listed as “interconnected systems” in Xacta.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 6 of 8

8. Per NIST SP 800-53 Rev. 4, Appendix
J, does the project, program, or system
maintain an accounting of disclosures
of PII to individuals who have
requested access to their PII?
9. Is there a FIPS 199 determination? 4

No. What steps will be taken to develop and
maintain the accounting: Request for information
goes through the FOIA/PA process managed by the
FEMA Disclosure Office.
Yes. In what format is the accounting
maintained:
Unknown.
No.
Yes. Please indicate the determinations for each
of the following:
Confidentiality:
Low
Moderate

High

Undefined

Integrity:
Low

Moderate

High

Undefined

Availability:
Low
Moderate

High

Undefined

PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:

LeVar J. Sykes

Date submitted to Component Privacy
Office:

Click here to enter a date.

Date submitted to DHS Privacy Office:

December 10, 2014

Component Privacy Office Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
The FEMA Privacy Office recommends approval of this PTA for the HMGP System as a Privacy
Sensitive System requiring a PIA and SORN. Recommended PIA and SORN coverage are as follows:
DHS/FEMA/PIA-025 – Hazard Mitigation Grant Program (HMGP) System PIA and the DHS/FEMA-009
- Hazard Mitigation Disaster Public Assistance and Disaster Loan Programs SORN.

4

FIPS 199 is the Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal
Information and Information Systems and is used to establish security categories of information systems.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 7 of 8

(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:

Eric M. Leckey

PCTS Workflow Number:

1056876

Date approved by DHS Privacy Office:

December 11, 2014

PTA Expiration Date

December 11, 2017
DESIGNATION

Privacy Sensitive System:

Yes

Category of System:

IT System

Determination:

PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
DHS Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact
your component PRA Officer.
A Records Schedule may be required. Contact your component Records
Officer.

PIA:

System covered by existing PIA
DHS/FEMA/PIA-025 – Hazard Mitigation Grant Program (HMGP) System PIA
System covered by existing SORN

SORN:

DHS/FEMA-009 - Hazard Mitigation Disaster Public Assistance and Disaster Loan
Programs SORN.
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
The purpose of this PTA is to review and document the review of the HMGP System in accordance with
the triennial review requirement. This system has not undergone any changes since it was last
adjudicated on December 11, 2011. The HMGP System is a Privacy Sensitive System. The system
collects business-related PII of State and Local representatives and the PII of property owners. Personal
information of property owners; specifically, property information, flood insurance coverage and history
is provided to FEMA as part of the HMGP grant application process and is provided to FEMA by grant

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 8 of 8

applicant(s) following the consent of the property owner. The HMGP system requires a PIA and is
covered under the existing DHS/FEMA/PIA-025 – Hazard Mitigation Grant Program (HMGP) System.
Additionally, the HMGP is currently covered by the DHS/FEMA/PIA-025 – Hazard Mitigation Grant
Program (HMGP) System.