Privacy Threshold Analysis (PTA) Forms

Privacy Analysis (PTA) Forms 07-03-19-Corrected.docx

Enterprise Income Verification (EIV) System User Access Authorization Form and Rules of Behavior and User Agreement

Privacy Threshold Analysis (PTA) Forms

OMB: 2577-0267

Document [docx]
Download: docx | pdf



U.S. DEPARTMENT OF

HOUSING AND URBAN DEVELOPMENT



PRIVACY THRESHOLD ANALYSIS (PTA)



Enterprise Income (EIV) System

User Access Authorization Form and Rules of Behavior and User Agreement


Office of Public and Indian Housing Real Estate Assessment Center




March 2019

PRIVACY THRESHOLD ANALYSIS (PTA)


The PTA is a compliance form developed by the Privacy Branch to identify the use of Personally Identifiable Information (PII) across the Department. The PTA is the first step in the PII verification process, which focuses on these areas of inquiry:

  • Purpose for the information,

  • Type of information,

  • Sensitivity of the information,

  • Use of the information,

  • And the risk to the information.

Please use the attached form to determine whether a Privacy and Civil Liberties Impact Assessment (PCLIA) is required under the E-Government Act of 2002 or a System of Record Notice (SORN) is required under the Privacy Act of 1974, as amended.

Please complete this form and send it to your program Privacy Liaison Officer (PLO). If you have no program Privacy Liaison Officer, please send the PTA to the HUD Privacy Branch:


John Bravacos, Senior Agency Official for Privacy

U.S. Department of Housing and Urban Development



[email protected]


Upon receipt from your program PLO, the HUD Privacy Branch will review this form. If a PCLIA or SORN is required, the HUD Privacy Branch will send you a copy of the PCLIA and SORN templates to complete and return.

PRIVACY THRESHOLD ANALYSIS (PTA)



Summary Information

Project or Program Name:

User Access Authorization Form and Rules of Behavior

Program:

CSAM Name (if applicable):

Enterprise Income Verification System

CSAM Number (if applicable):

Click here to enter text.

Type of Project or Program:

Project or program status:

Date first developed:

October 28, 2002

Pilot launch date:

N/A

Date of last PTA update:

March 1, 2016

Pilot end date:

N/A

ATO Status (if applicable)

ATO expiration date (if applicable):

March 30, 2022



PROJECT OR PROGRAM MANAGER

Name:

Rochelle Katz

Office:

PIH/EIV

Title:

Acting Program Manager

Phone:

202-475-4967

Email:

[email protected]



INFORMATION SYSTEM SECURITY OFFICER (ISSO) (if applicable)

Name:

Dallas Blair

Phone:

202-475-8699

Email:

[email protected]






Specific PTA Questions

1. Reason for submitting the PTA:


HUD’s regulations at 24 CFR 5.233, require PHAs to use the Enterprise Income Verification System (EIV) in its entirety to verify tenant employment and income information during mandatory reexaminations of family composition and income, and to reduce administrative and subsidy payment errors in accordance with 24 CFR 5.236 and administrative guidance issued by HUD.

The EIV System User Access Authorization Form-52676 and Rules of Behavior and User Agreement must be completed by prospective users prior to the public housing agency granting staff access to the EIV system or granting authorization to view system generated content. HUD requires each individual to complete a PDF or Microsoft Word fillable Form HUD 52676 each time an individual requests initial access to the PIH EIV System, and when a user’s access is modified, reinstated or terminated. Also, this form must be completed by an individual who will not access the EIV system but will view and/or handle printed or electronic EIV information. This form enables HUD to: 1) identify the user; 2) verify the type of system access requested; 3) provide the user with HUD’s Rules of Behavior for system usage and information about the user responsibilities to protect data protected under the Federal Privacy Act (5 USC 552a) after access is granted; and 4) obtain the signature of the user certifying the user’s agreement to the Rules of Behavior and responsibilities associated with his/her use of the EIV system.





  1. Does this system employ the following technologies?

If you are using these technologies and want coverage under the respective PIA for that technology, please stop here and contact the HUD Privacy Branch for further guidance.

Social Media

Web portal2 (e.g., SharePoint)

Contact Lists

Public website (e.g. A website operated by HUD, contractor, or other organization on behalf of the HUD

None of these


  1. From whom does the Project or Program collect, maintain, use, or disseminate information?

Please check all that apply.

This program collects no personally identifiable information3

Members of the public

HUD employees/contractors (list programs):

Contractors working on behalf of HUD

Employees of other federal agencies

Other (e.g. business entity)



  1. What specific information about individuals is collected, generated or retained?


HUD Form-52676 collects the Public Housing Agency (PHA) code, organization name, organization address, prospective user’s full name, HUD assigned user ID, Position Title, email address, office telephone and fax numbers and the type of work which involves the use of the EIV system, the type of system action requested, requested access roles to be assigned, public housing development numbers to be assigned and the prospective user’s signature and date of request.



4(a) Does the project, program, or system retrieve information from the system about a U.S. Citizen or lawfully admitted permanent resident aliens by a personal identifier?

No. Please continue to next question.

Yes. If yes, please list all personal identifiers used:


4(b) Does the project, program, or system have an existing System of Records Notice (SORN) that has already been published in the Federal Register that covers the information collected?

No. Please continue to next question.

Yes. If yes, provide the system name and number, and the Federal Register

citation(s) for the most recent complete notice and any subsequent notices

reflecting amendment to the system


4(c)Has the project, program, or system undergone any significant changes since the SORN?

No. Please continue to next question.

Yes. If yes, please describe.


4(d) Does the project, program, or system use Social Security Numbers (SSN)?

No.

Yes.


4(e) If yes, please provide the specific legal authority and purpose for the collection of SSNs:

Click here to enter text.


4(f) If yes, please describe the uses of the SSNs within the project, program, or system:

Click here to enter text.


4(g) If this project, program, or system is an information technology/system, does it relate solely to infrastructure?


For example, is the system a Local Area Network (LAN) or Wide Area Network (WAN)?

No. Please continue to next question.

Yes. If a log kept of communication traffic, please answer this question.


4(h) If header or payload data4 is stored in the communication traffic log, please detail the data elements stored.

Click here to enter text.

N/A



  1. Does this project, program, or system connect, receive, or share PII with any other HUD programs or systems?


No.

Yes. If yes, please list:

  1. Does this project, program, or system connect, receive, or share PII with any external (non-HUD) partners or systems?


No.

Yes. If yes, please list:

6(a) Is this external sharing pursuant to new or existing information sharing access agreement (MOU, MOA, etc.)?


Please describe applicable information sharing governance in place:

Existing Computer Matching Agreements with the Social Security Administration and the Department of Health and Human Services


7. Does the project, program, or system provide role-based training for personnel who have access in addition to annual privacy training required of all HUD personnel?

No.

Yes. If yes, please list:

Initial EIV System Training, Updated EIV System Training, Annual Security Awareness Training

  1. Per NIST SP 800-53 Rev. 4, Appendix J, does the project, program, or system maintain an accounting of disclosures of PII to individuals/agencies who have requested access to their PII?

No. What steps will be taken to develop and maintain the accounting:

Yes. In what format is the accounting maintained: Log all access in EIV data base

  1. Is there a FIPS 199 determination?5

Unknown.

No.

Yes. Please indicate the determinations for each of the following:

Confidentiality:

Low Moderate High



Integrity:

Low Moderate High



Availability:

Low Moderate High






PRIVACY THRESHOLD ANALYSIS REVIEW

(To be Completed by PROGRAM PLO)

Program Privacy Liaison Reviewer:

Arlette Mussington


Date submitted to Program Privacy Office:

April 3, 2019


Date submitted to HUD Privacy Branch:

Click here to enter a date.


Program Privacy Liaison Officer Recommendation:

Please include recommendation below, including what new privacy compliance documentation is needed.

None.

(To be Completed by the HUD Privacy Branch)

HUD Privacy Branch Reviewer:

Click here to enter text.

Date approved by HUD Privacy Branch:

Click here to enter a date.

PTA Expiration Date:

Click here to enter a date.

DESIGNATION

Privacy Sensitive System:

If “no” PTA adjudication is complete.


Category of System:

If “other” is selected, please describe: Click here to enter text.


Determination: PTA sufficient at this time.

Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
HUD Policy for Computer-Readable Extracts Containing Sensitive PII applies.
Privacy Act Statement required.
Privacy and Civil Liberties Impact Assessment (PCLIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact your program PRA Officer.
A Records Schedule may be required. Contact your program Records Officer.


PIA:

If covered by existing PCLIA, please list: Click here to enter text.


SORN:

If covered by existing SORN, please list: Click here to enter text.


HUD Privacy Branch Comments:

Please describe rationale for privacy compliance determination above.

Click here to enter text.



DOCUMENT ENDORSMENT



DATE REVIEWED:

PRIVACY REVIEWING OFFICIALS NAME:



By signing below, you attest that the content captured in this document is accurate and complete and meet the requirements of applicable federal regulations and HUD internal policies.






SYSTEM OWNER

Rochelle Katz, Acting Program Manager


Date

Department of Housing and Urban Development Real Estate Assessment Center

Enterprise Income Verification Center














CHIEF PRIVACY OFFICER

<<INSERT NAME/TITLE>>


Date

OFFICE OF ADMINISTRATION









2 Informational and collaboration-based portals in operation at HUD and its programs that collect, use, maintain, and share limited personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who seek to gain access to the portal.

3 HUD defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the same.

4 Header: Information that is placed before the actual data. The header normally contains a small number of bytes of control information, which is used to communicate important facts about the data that the message contains and how it is to be interpreted and used. It serves as the communication and control link between protocol elements on different devices.

Payload data: The actual data to be transmitted, often called the payload of the message (metaphorically borrowing a term from the space industry!) Most messages contain some data of one form or another, but some actually contain none: they are used only for control and communication purposes. For example, these may be used to set up or terminate a logical connection before data is sent.

5 FIPS 199 is the Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems and is used to establish security categories of information systems.



United States Department of Housing and Urban Development

January 15, 2021

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2021-01-15
© 2024 OMB.report | Privacy Policy