Privacy Theshold Analysis (PTA)

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: November 6, 2012
Page 1 of 7

PRIVACY THRESHOLD ANALYSIS (PTA)
This form is used to determine whether
a Privacy Impact Assessment is required.

Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is required under
the E-Government Act of 2002 and the Homeland Security Act of 2002.
Please complete this form and send it to your component Privacy Office. If you do not have a component
Privacy Office, please send the PTA to the DHS Privacy Office:
Rebecca J. Richards
Senior Director of Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]

Upon receipt from your component Privacy Office, the DHS Privacy Office will review this form. If a
PIA is required, the DHS Privacy Office will send you a copy of the Official Privacy Impact Assessment
Guide and accompanying Template to complete and return.
A copy of the Guide and Template is available on the DHS Privacy Office website,
www.dhs.gov/privacy, on DHSConnect and directly from the DHS Privacy Office via email:
[email protected], phone: 202-343-1717.

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: November 6, 2012
Page 2 of 7

PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:

Mortgage Portfolio Protection Program (MPPP) (1660-0086)

Component:

Federal Emergency
Management Agency (FEMA)

Office or
Program:

Federal Insurance and
Mitigation Administration

TAFISMA Name:

Click here to enter text.

TAFISMA
Number:

Click here to enter text.

Type of Project or
Program:

Form or other Information
Collection

Project or
program
status:

Operational

PROJECT OR PROGRAM MANAGER
Name:

Susan Bernstein

Office:

FIMA Risk insurance

Title:

FIMA Risk insurance

Phone:

202-212-2113

Email:

[email protected]
ov

INFORMATION SYSTEM SECURITY OFFICER (ISSO)
Name:

Click here to enter text.

Phone:

Click here to enter text.

Email:

Click here to enter text.

ROUTING INFORMATION
Date submitted to Component Privacy Office:

September 18, 2013

Date submitted to DHS Privacy Office:

September 18, 2013

Date approved by DHS Privacy Office:

November 4, 2013

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: November 6, 2012
Page 3 of 7

SPECIFIC PTA QUESTIONS
1. Please describe the purpose of the project or program:
Please provide a general description of the project and its purpose in a way a non-technical person could
understand.
The Federal Insurance and Mitigation Administration (FIMA) Risk Insurance Division manages the
National Flood Insurance Program (NFIP) Mortgage Portfolio Protection Program (MPPP). Purchasing
flood insurance is mandatory when the property is located in a high flood risk area in communities that
are participating in the NFIP and if there is a federally related loan for a home or business. The MPPP is
an option that participating companies can use to ensure that mortgage loan portfolios are in compliance
with flood insurance purchase requirements if the property owner refuses to buy flood insurance or if a
property has gone through foreclosure and is in the custody of a mortgage lender. Insurance companies
applying for or renewing their participation in the NFIP Write Your Own (WYO) program (which allows
them to sell NFIP flood insurance to property owners) must indicate that they will adhere to the
requirements of the MPPP if they are electing to voluntarily participate in the MPPP.
A WYO company will review the Financial Assistance/Subsidy Arrangement, and complete the Notice of
Acceptance acknowledgement either agreeing to participate in the MPPP or electing to continue under
WYO guidelines. This allows FEMA to maintain a list of companies that are participating in the MPPP
and can assure that insurance policies written under the MPPP are done so by appropriate WYO
companies. Without the MPPP, many loans will not meet federal requirements and not be maintainable.
The MPPP Agreement, Financial Assistance/Subsidy Arrangement, and Notice of Acceptance collects
point of contact information from members of the public, specifically, representatives of insurance
companies and mortgage lender. WYO company’s participation in the MPPP is updated into the NFIP
Information Technology System (ITS). The NFIP ITS is currently covered under the DHS/FEMA/PIA –
011 – NFIP ITS Privacy Impact Assessment (PIA). Paper records are stored in accordance with the NFIP
Program Files System of Records System of Records Notice (SORN), 73 Fed. Reg. 77,747 (Dec. 19,
2008). The collection associated with this process is covered by OMB-ICR No. 1660-0086.
WYO companies participating in the MPPP must provide a detailed implementation package, known as
the MPPP Agreement, to the lending companies who are requesting insurance coverage and the lender
must acknowledge receipt.

2. Project or Program status
January 1, 1991
Date first developed:
September 30, 2010
Date last updated:

3. From whom does the Project or
Program collect, maintain, use or
disseminate information?
Please check all that apply.

Update
Pilot launch date:
Pilot end date:

Click here to enter a date.
Click here to enter a date.

DHS Employees
Contractors working on behalf of DHS
Members of the public
This program does not collect any personally

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: November 6, 2012
Page 4 of 7

identifiable information1

4. What specific information about individuals could be collected, generated or retained?
Please provide a specific description of information that might be collected, generated or retained such
as names, addresses, emails, etc.
FEMA collects the following information from WYO companies and Lender/Mortgager representatives:
Name,
Title,
Company Name, and
Signature.

Does the Project or Program use Social
Security Numbers (SSNs)?
If yes, please provide the legal authority for
the collection of SSNs:
If yes, please describe the uses of the SSNs
within the Project or Program:

5. Does this system employ any of the
following technologies:

No
Click here to enter text.
Click here to enter text.

Closed Circuit Television (CCTV)
Sharepoint-as-a-Service

If project or program utilizes any of these
technologies, please contact Component Privacy
Officer for specialized PTA.

Social Media
Mobile Application (or GPS)
Web portal2
None of the above

If this project is a technology/system, does
it relate solely to infrastructure?

No. Please continue to next question.

1

DHS defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.
2

Informational and collaboration-based portals in operation at DHS and its components which collect, use,
maintain, and share limited personally identifiable information (PII) about individuals who are “members” of the
portal or who seek to gain access to the portal “potential members.”

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: November 6, 2012
Page 5 of 7

For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?

Yes. If a log kept of communication traffic,
please answer the following question.

If header or payload data3 is stored in the communication traffic log, please detail the data
elements stored.
Click here to enter text.

6. Does this project or program connect,
receive, or share PII with any other
DHS programs or systems4?

No.
Yes. If yes, please list:
NFIP ITS

7. Does this project or program connect,
receive, or share PII with any external
(non-DHS) partners or systems?

No.
Yes. If yes, please list:
Click here to enter text.

Is this external sharing pursuant to new
or existing information sharing access
agreement (MOU, MOA, LOI, etc.)?

Choose an item.
Please describe applicable information sharing
governance in place.
Click here to enter text.

3

When data is sent over the Internet, each unit transmitted includes both header information and the actual data
being sent. The header identifies the source and destination of the packet, while the actual data is referred to as the
payload. Because header information, or overhead data, is only used in the transmission process, it is stripped from
the packet when it reaches its destination. Therefore, the payload is the only data received by the destination system.
4 PII may be shared, received, or connected to other DHS systems directly, automatically, or by manual processes.
Often, these systems are listed as “interconnected systems” in TAFISMA.

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: November 6, 2012
Page 6 of 7

PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:

Click here to enter text.

Date submitted to DHS Privacy Office:

Click here to enter a date.

Component Privacy Office Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
FEMA Privacy recommends the following coverage:
PIA: DHS/FEMA/PIA-011 - National Flood Insurance Program (NFIP) Information Technology
Systems (ITS)
SORN: DHS/FEMA-003 - National Flood Insurance Program Files December 19, 2008 73 FR 77747

(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:

Jameson Morgan

Date approved by DHS Privacy Office:

November 4, 2013

PCTS Workflow Number:

995578
DESIGNATION

Privacy Sensitive System:
Category of System:
Determination:

Yes

If “no” PTA adjudication is complete.

IT System
If “other” is selected, please describe: Click here to enter text.
PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
DHS Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.

PIA:

System covered by existing PIA
If covered by existing PIA, please list: DHS/FEMA/PIA - 011 National Flood Insurance

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: November 6, 2012
Page 7 of 7

Program Information Technology System October 12, 2012
System covered by existing SORN
SORN:

If covered by existing SORN, please list: DHS/FEMA-003 - National Flood Insurance
Program Files
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
The DHS Privacy Office agrees with the FEMA Privacy Office’s recommendation that MPPP is a privacy
sensitive system with coverage under the DHS/FEMA/PIA – 011 NFIP ITS PIA and the DHS/FEMA –
003 NFIP Files SORN.
MPPP collects limited, general, contact information from members of the public, specifically,
representatives of insurance companies, mortgage lenders, and WYO companies in order to ensure that
mortgage loan portfolios are in compliance with flood insurance purchase requirements.
The DHS/FEMA/PIA – 011 NFIP ITS PIA processes flood insurance policies and claims, specifically,
policies and claims from the FEMA Direct Servicing Agent (DSA) contractor on behalf of the NFIP and
by Write Your Own Companies (WYO) that sell and service flood insurance policies. The information
collected in MPPP is sent to NFIP ITS which is covered by the DHS/FEMA/PIA- 011 NFIP ITS PIA.
The DHS/FEMA – 003 NFIP Files SORN allows for information collection from members of the public
in order to manage the NFIP and to provide information on the NFIP to those who inquire. The
DHS/FEMA – 003 SORN is required because information is collected by MPPP for this purpose. All
information collection by MPPP is consistent with the categories of individuals, categories of records, and
routine uses stated in the SORN.