Download:
pdf |
pdfPrivacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
PRIVACY THRESHOLD ANALYSIS (PTA)
This form serves as the official determination by the DHS Privacy Office to
identify the privacy compliance requirements for all Departmental uses of
personally identifiable information (PII).
A Privacy Threshold Analysis (PTA) serves as the document used to identify
information technology (IT) systems, information collections/forms, technologies,
rulemakings, programs, information sharing arrangements, or pilot projects that involve
PII and other activities that otherwise impact the privacy of individuals as determined by
the Chief Privacy Officer, pursuant to Section 222 of the Homeland Security Act, and to
assess whether there is a need for additional Privacy Compliance Documentation. A PTA
includes a general description of the IT system, information collection, form, technology,
rulemaking, program, pilot project, information sharing arrangement, or other Department
activity and describes what PII is collected (and from whom) and how that information is
used and managed.
Please complete the attached Privacy Threshold Analysis and submit it to your
component Privacy Office. After review by your component Privacy Officer the PTA is sent
to the Department’s Senior Director for Privacy Compliance for action. If you do not have a
component Privacy Office, please send the PTA to the DHS Privacy Office:
Senior Director, Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]
Upon receipt from your component Privacy Office, the DHS Privacy Office will review this
form and assess whether any privacy compliance documentation is required. If compliance
documentation is required – such as Privacy Impact Assessment (PIA), System of Records
Notice (SORN), Privacy Act Statement, or Computer Matching Agreement (CMA) – the DHS
Privacy Office or component Privacy Office will send you a copy of the relevant compliance
template to complete and return.
Privacy Threshold Analysis – IC/Form
Page 1 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Privacy Threshold Analysis (PTA)
Specialized Template for
Information Collections (IC) and Forms
The Forms-PTA is a specialized template for Information Collections and Forms. This
specialized PTA must accompany all Information Collections submitted as part of the
Paperwork Reduction Act process (any instrument for collection (form, survey,
questionnaire, etc.) from ten or more members of the public). Components may use this PTA
to assess internal, component-specific forms as well.
Form Number:
Form Title:
Component:
NA
Federal Emergency
Management Agency
(FEMA)
Office: Office
of Policy and
Program
Analysis
IF COVERED BY THE PAPERWORK REDUCTION ACT:
Collection Title:
Rated Orders, Adjustments, Exceptions, or Appeals Under the
Emergency Management Priorities and Allocations System (EMPAS)
Click here to enter a
OMB Control
OMB Expiration
date.
Number:
Date:
Collection status:
New Collection
Date of last PTA (if
Click here to enter
applicable):
a date.
Phone:
PROJECT OR PROGRAM MANAGER
Marc Geier
Office of Policy and
Title:
Program Analyst
Programs Analysis
202.924.0196
Email:
[email protected]
Name:
Office:
COMPONENT INFORMATION COLLECTION/FORMS CONTACT
Millicent Brown
IMD
Title:
Senior PRA/Forms Analyst
Name:
Office:
Privacy Threshold Analysis – IC/Form
Page 2 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
Phone:
202.304.2291
Email:
[email protected].
gov
SPECIFIC IC/Forms PTA QUESTIONS
1. Purpose of the Information Collection or Form
This PTA is being submitted by FEMA’s Office of Policy and Program Analysis for Rated Orders,
Adjustments, Exceptions, or Appeals Under the Emergency Management Priorities and Allocations
System (EMPAS). This information is necessary to support the President's priorities and allocations
authority under the Defense Production Act (DPA) of 1950 as amended (50 U.S.C. 4501, et seq.)
implemented by the EMPAS regulation (44 CFR part 333), which was added by FEMA’s May 13,
2020 Emergency Management Priorities and Allocations System (EMPAS) Interim Final Rule (RIN
1660-AB04). The purpose of this authority is to ensure the timely delivery of products, materials, and
services to meet current national defense requirements. The President exercised his authority pursuant
to the DPA to respond to the COVID-19 pandemic in Executive Order 13911, authorizing the
Secretary of Homeland Security to prioritize and allocate health and medical resources to respond to
the spread of COVID-19. The Secretary of Homeland Security has further delegated this authority to
the FEMA Administrator. DHS Delegation 09052 Rev. 00.1 (Apr. 1, 2020).
Because of the substantial risk to life, safety, or health of individuals due to the shortage in emergency
medical products, materials, and equipment supporting distribution infrastructure, and other lifesustaining products, materials, and equipment related to COVID-19 treatment, FEMA requests an
emergency approval to collect the necessary information from contractors when placing rated orders
with suppliers, to obtain timely delivery of products, materials equipment, or services from suppliers,
or for any other reason under the EMPAS, in support of approved national programs.
Regarding customer notification of the acceptance of rated orders, the rejection of rated orders, and the
delay of rated orders, the Federal Government does not typically receive information under this
collection unless FEMA is facilitating a sale to a third party.
Under sections 333.12(b), 333.13, 333.70, and 333.71 of the EMPAS Interim Final Rule (IFR),
information is collected which may contain PII. The EMPAS IFR is very flexible and allows the
submission of the information in any format. For example, it may be submitted, verbally and by email
or by letter. The PII included in an email would include the name of the person providing the
information, their work email address, and signature block. The PII included in a letter would include
the name of the person providing the information, their Company’s physical address, and their
signature block.
a. List the DHS (or component) authorities to collect, store, and use this information.
If this information will be stored and used by a specific DHS component, list the
component-specific authorities.
The information collection supports FEMA’s implementation of the President’s priorities
and allocations authority under Title I of the DPA, as amended (50 U.S.C. 4501, et seq.).
Privacy Threshold Analysis – IC/Form
Page 3 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
The purpose of this authority is to ensure the timely delivery of products, materials, and
services necessary or appropriate to promote the national defense.
2. Describe the IC/Form
a. Does this form collect any
Personally Identifiable
Information” (PII 1)?
b. From which type(s) of
individuals does this form
collect information?
(Check all that apply.)
c. Who will complete and
submit this form? (Check
all that apply.)
☒ Yes
☐ No
☒ Members of the public
☒ U.S. citizens or lawful permanent
residents
☐ Non-U.S. Persons.
☒ DHS Employees
☒ DHS Contractors
☒ Other federal employees or contractors. State,
local, or Tribal entity.
☐ The record subject of the form (e.g., the
individual applicant).
☒ Legal Representative (preparer, attorney,
etc.).
☒ Business entity.
If a business entity, is the only
information collected business contact
information?
☒ Yes
☐ No
☐ Law enforcement.
☒ DHS employee or contractor.
☐ Other individual/entity/organization that is
NOT the record subject. Please describe.
There is no form. The information that may be
collected is covered by the EMPAS Interim Final
Rule, which published on May 13, 2020.
1
Personally identifiable information means any information that permits the identity of an individual to be directly or indirectly inferred, including
any other information which is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident,
visitor to the U.S., or employee or contractor to the Department.
Privacy Threshold Analysis – IC/Form
Page 4 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
d. How do individuals
complete the form? Check
all that apply.
☒ Paper.
☒ Electronic. (ex: fillable PDF)
☐ Online web form. (available and submitted via
the internet)
Provide link: There is no form. Individuals will
provide written electronic submission.
e. What information will DHS collect on the form? List all PII data elements on the
form. If the form will collect information from more than one type of individual,
please break down list of data elements collected by type of individual.
Because timely delivery or performance is critical under the EMPAS to support
emergency management programs, the information is used by the customer who placed
the rated order with a supplier to help track the status of the rated order from initial
receipt by supplier to shipment or performance of the needed goods or services. It would
be used by the Federal Emergency Management Agency and Department of Homeland
Security, as part of the information required to provide assistance to the customer in the
event that the supplier cannot or will not timely deliver or performance of the needed
goods or services.
Paragraph (d)(1) of section 333.13 requires written electronic notification of an
acceptance or a rejection of a DO rated order within 15 days and within 10 working days
of a DX rated order. No form is required for this required written electronic notification.
Paragraph (d)(2) of section 333.13 requires written electronic notification of an
acceptance or a rejection within the time specified in the rated order for the purpose of
emergency preparedness requirements. No form is required for this required written
electronic notification.
Paragraph (d)(3) of section 333.13 requires written electronic notification, when a
person finds that shipment or performance of the rated order will be delayed. The
person must notify the customer immediately, give the reasons for the delay, and advise
of a new shipment or performance date. If notification is given verbally, written
electronic confirmation must be provided within 24 hours of the verbal notice. No form
is required for this required written electronic notification.
Finally, under section 333.70, each request for adjustment or exception must be in
writing and contain a complete statement of all the facts and circumstances related to 44
Privacy Threshold Analysis – IC/Form
Page 5 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
CFR part 333 or official action from which adjustment is sought and a full and precise
statement of the reasons why relief should be provided. Under section 333.71, any
person who has had a request for adjustment or exception denied by FEMA under
section 333.70 may appeal to the Administrator. Each appeal must be in writing and
contain a complete statement of all the facts and circumstances related to the action
appealed from a full and precise statement of the reasons the decision should be
modified or reversed. No form is required for the request for adjustment, the request for
exception, or the appeal.
Regarding customer notification of the acceptance of rated orders, the rejection of rated
orders, and the delay of rated orders, the Federal Government does not typically receive
information under this collection unless FEMA is facilitating a sale to a third party.
Under sections 333.12(b), 333.13, 333.70, and 333.71 of the EMPAS Interim Final
Rule (IFR), information is collected which may contain PII. The EMPAS IFR is very
flexible and allows the submission of the information in any format. For example,
it may be submitted, verbally and by email or by letter. The PII included in an
email would include the name of the person providing the information, their work
email address, and signature block. The PII included in a letter would include the
name of the person providing the information, their Company’s physical address,
and their signature block.
f. Does this form collect Social Security number (SSN) or other element that is
stand-alone Sensitive Personally Identifiable Information (SPII)? Check all that
apply.
☐ Social Security number
☐ DHS Electronic Data Interchange
Personal Identifier (EDIPI)
☐ Alien Number (A-Number)
☐ Social Media Handle/ID
☐ Tax Identification Number
☐ Known Traveler Number
☐ Visa Number
☐ Trusted Traveler Number (Global
☐ Passport Number
Entry, Pre-Check, etc.)
☐ Bank Account, Credit Card, or other
☐ Driver’s License Number
financial account number
☐ Biometrics
☐ Other. Please list:
g. List the specific authority to collect SSN or these other SPII elements.
N/A
Privacy Threshold Analysis – IC/Form
Page 6 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
h. How will this information be used? What is the purpose of the collection?
Describe why this collection of SPII is the minimum amount of information
necessary to accomplish the purpose of the program.
N/A
i.
Are individuals
provided notice at the
time of collection by
DHS (Does the records
subject have notice of
the collection or is
form filled out by
third party)?
☐ Yes. Please describe how notice is provided.
Click here to enter text.
☒ No. There is no form.
3. How will DHS store the IC/form responses?
a. How will DHS store
☒ Paper. Please describe.
the original,
The regulations require written submission.
completed IC/forms?
There is no form. There are currently paper
records that are being kept in a secured file room
while the records are being scanned and
transitioned into the Electronic Contract Filing
System (a DHS repository.)
☐ Electronic. Please describe the IT system that will
store the data from the form.
Click here to enter text.
☒ Scanned forms (completed forms are scanned into
an electronic repository). Please describe the
electronic repository.
The paper forms are scanned and transitioned
into the Electronic Contract Filing System (a DHS
repository).
b. If electronic, how
does DHS input the
Privacy Threshold Analysis – IC/Form
☒ Manually (data elements manually entered). Please
describe.
Page 7 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
responses into the IT
system?
c. How would a user
search the
information
submitted on the
forms, i.e., how is the
information
retrieved?
The will be either filed in the secure file room or
scanned into the Electronic Contact Filing System.
☐ Automatically. Please describe.
Click here to enter text.
☐ By a unique identifier. 2 Please describe. If
information is retrieved by personal identifier, please
submit a Privacy Act Statement with this PTA.
Click here to enter text.
☒ By a non-personal identifier. Please describe.
Generally, searches are completed by Contract
Number, although searches can be done for all
rated orders and by keyword specific terms.
The retention period is 3 years after final payment
pursuant to the Federal Acquisition Regulations
(FAR) Subpart 4.7 “Contractor Records Retention.”
d. What is the records
retention
schedule(s)? Include
the records schedule
number.
e. How do you ensure
The program will ensure that these records are
that records are
archived or destroyed in accordance with NARA
disposed of or deleted
general records schedule 1.1 “Financial Management
in accordance with
and Reporting Records.”
the retention
schedule?
f. Is any of this information shared outside of the original program/office? If yes,
describe where (other offices or DHS components or external entities) and why.
What are the authorities of the receiving party?
☐ Yes, information is shared with other DHS components or offices. Please describe.
Click here to enter text.
☐ Yes, information is shared external to DHS with other federal agencies, state/local
partners, international partners, or non-governmental entities. Please describe.
Click here to enter text.
2
Generally, a unique identifier is considered any type of “personally identifiable information,” meaning any information that permits the identity
of an individual to be directly or indirectly inferred, including any other information which is linked or linkable to that individual regardless of
whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.
Privacy Threshold Analysis – IC/Form
Page 8 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
☒ No. Information on this form is not shared outside of the collecting office.
**Note that FEMA does not currently intend to share information outside of the
collecting office. Further, FEMA has not delegated authority under the EMPAS
regulations to any other agency at this time. Should FEMA delegate authority under the
EMPAS regulations to another agency in the future, that agency would be required to
share information with FEMA. Any such delegation would provide for the sharing of
information as part of the terms of the delegation.
Please include a copy of the referenced form and Privacy Act Statement (if
applicable) with this PTA upon submission.
Privacy Threshold Analysis – IC/Form
Page 9 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:
Date submitted to component Privacy
Office:
Date submitted to DHS Privacy Office:
Have you approved a Privacy Act
Statement for this form? (Only
applicable if you have received a
waiver from the DHS Chief Privacy
Officer to approve component Privacy
Act Statements.)
Tina Macomson
Click here to enter a date.
August 7, 2020
☐ Yes. Please include it with this PTA
submission.
☐ No. Please describe why not.
Click here to enter text.
Component Privacy Office Recommendation:
Please include recommendation below, including what existing privacy compliance
documentation is available or new privacy compliance documentation is needed.
FEMA Privacy recommends the following coverage:
PIA:
•DHS/ALL/PIA-065 Electronic Contract Filing System (ECFS)
SORN:
•DHS/ALL-021, Department of Homeland Security Contractors and Consultants
•DHS/ALL-004, General Information Technology Access Account Records System
(GITAARS)
Privacy Threshold Analysis – IC/Form
Page 10 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
PRIVACY THRESHOLD ADJUDICATION
(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:
Joseph Thomas (Sr. Analyst Hannah Burgess)
PCTS Workflow Number:
Date approved by DHS Privacy Office:
PTA Expiration Date
Click here to enter text.
August 10, 2020
August 10, 2023
DESIGNATION
Privacy Sensitive IC or
Form:
Yes If “no” PTA adjudication is complete.
DHS IC/Forms Review:
Choose an item.
Determination:
☐ PTA sufficient at this time.
☐ Privacy compliance documentation determination in
progress.
☐ New information sharing arrangement is required.
☐ DHS Policy for Computer-Readable Extracts Containing SPII
applies.
☐ Privacy Act Statement required.
☒ Privacy Impact Assessment (PIA) required.
☒ System of Records Notice (SORN) required.
☐ Specialized training required.
☐ Other. Click here to enter text.
Date IC/Form Approved Click here to enter a date.
by PRIV:
IC/Form PCTS Number: Click here to enter text.
Privacy Act
Choose an item.
Statement:
Click here to enter text.
PTA:
Choose an item.
Click here to enter text.
PIA:
System covered by existing PIA
Privacy Threshold Analysis – IC/Form
Page 11 of 12
Version number: 04-2016
Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy
If covered by existing PIA, please list: DHS/ALL/PIA-065 Electronic
Contract Filing System (ECFS)
If a PIA update is required, please list: Click here to enter text.
SORN:
System covered by existing SORN
If covered by existing SORN, please list: DHS/ALL-021, Department of
Homeland Security Contractors and Consultants;
DHS/ALL-004, General Information Technology Access Account Records
System (GITAARS)
If a SORN update is required, please list: Click here to enter text.
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
FEMA has submitted this Rated Orders, Adjustments, Exceptions, or Appeals Under the
Emergency Management Priorities and Allocations System (EMPAS) PTA seeking to
collect information about customers who placed rated orders with a supplier to help track
the status of the rated order from initial receipt by supplier to shipment or performance of
the needed goods or services. This information, gathered either in writing, electronically
via email, or verbally, potentially includes PII including names, work email addresses, or
the contents of an email signature block. This PII is intended to be leveraged to facilitate
business follow-up for rated orders to ensure the timely delivery of products, materials,
and services to meet current national defense requirements.
DHS PRIV agrees that this is a privacy-sensitive system which requires PIA coverage.
Coverage is provided by DHS/ALL/PIA-065 Electronic Contract Filing System (ECFS),
which supports workflow, document management, and records management throughout
the lifecycle of purchasing orders or contract administration.
SORN coverage is also required. DHS PRIV agrees that DHS/ALL-021, Department of
Homeland Security Contractors and Consultants and DHS/ALL-004, General Information
Technology Access Account Records System (GITAARS) are adequate for the nature of
PII stored and accessed as a result of this collection.
Privacy Threshold Analysis – IC/Form
Page 12 of 12
Version number: 04-2016
File Type | application/pdf |
File Title | DHS PRIVACY OFFICE |
Author | marilyn.powell |
File Modified | 2020-08-10 |
File Created | 2020-08-10 |