Privacy Impact Assessment

PRIVACY IMPACT ASSESSMENT (PIA)
PRESCRIBING AUTHORITY: DoD Instruction 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance". Complete this form for Department of Defense
(DoD) information systems or electronic collections of information (referred to as an "electronic collection" for the purpose of this form) that collect, maintain, use,
and/or disseminate personally identifiable information (PII) about members of the public, Federal employees, contractors, or foreign nationals employed at U.S.
military facilities internationally. In the case where no PII is collected, the PIA will serve as a conclusive determination that privacy requirements do not apply to
system.
1. DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME:

NAVY FAMILY ACCOUNTABILITY AND ASSESSMENT SYSTEM (NFAAS)
3. PIA APPROVAL DATE:

2. DOD COMPONENT NAME:

02/22/19

Department of the Navy
Commander, Navy Installations Command (CNIC)
SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE)
a. The PII is: (Check one. Note: foreign nationals are included in general public.)
From members of the general public

From Federal employees and/or Federal contractors

From both members of the general public and Federal employees and/or
Federal contractors

Not Collected (if checked proceed to Section 4)

b. The PII is in a: (Check one)
New DoD Information System

New Electronic Collection

Existing DoD Information System

Existing Electronic Collection

Significantly Modified DoD Information System
c. Describe the purpose of this DoD information system or electronic collection and describe the types of personal information about individuals
collected in the system.

NFAAS is a web-based system for accounting for personnel (active duty, reserve, family members and civilian personnel) following a
natural or man-made disaster. NFAAS captures accounting status, contact and location information. NFAAS is also used to assess the impact
of the disaster on Navy affiliated personnel and provide support to help families return to a steady state. NFAAS is used on a regular basis to
track contact and data on sailors on Individual Augmentation orders. PII collected: Name, SSN (full and truncated), DoD ID number, gender,
birth date, personal cell telephone number, home telephone number, personal email address, mailing/home address, DoD affiliation, branch
of service, military status, rank/rate, duty station, name of sponsor, sponsor SSN; Spouse/child information: Name, Relationship, DOB,
Address, phone, email, number of children; Medical Information: medical history, illness/diagnosis, and medical treatment; Education
Information: current grade level, provider/school name, school district, provider/school address, provider/school office/fax numbers;
Emergency contact information: Name, Relationship (type in, optional), Address, phone (home, cell, work), email. Surveys are to include
the date of assessment, the type of event and category classification, contacts with the military family, and a Federal Emergency
Management Agency (FEMA) Number (if issued). Individual augmentation deployment records include Post Deployment Health
Assessments (PDHA) dates, dates of deployment, and contacts with the service member or contractor and family.
d. Why is the PII collected and/or what is the intended use of the PII? (e.g., verification, identification, authentication, data matching, mission-related use,
administrative use)

For authentication, verification and data matching. For personnel accountability and assessment purposes, in order to assist Navy personnel
and their families following a disaster.
e. Do individuals have the opportunity to object to the collection of their PII?

Yes

No

(1) If "Yes," describe the method by which individuals can object to the collection of PII.
(2) If "No," state the reason why individuals cannot object to the collection of PII.

By not entering their information in NFAAS, and individual will not be able to be accounted for following a disaster; nor the tracking of
needs that are caused by a disastrous event; nor be able to be tracked (if Active Duty or Reservist) as being enrolled in the Exceptional
Family Member Program.
f. Do individuals have the opportunity to consent to the specific uses of their PII?

Yes

No

(1) If "Yes," describe the method by which individuals can give or withhold their consent.
(2) If "No," state the reason why individuals cannot give or withhold their consent.

If an individual enters his/her information into NFAAS, he/she is providing consent.

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

AEM Designer

Page 1 of 10

g. When an individual is asked to provide PII, a Privacy Act Statement (PAS) and/or a Privacy Advisory must be provided. (Check as appropriate and
provide the actual wording.)
Privacy Act Statement

Privacy Advisory

Not Applicable

The Privacy Act Statement is presented to user on the initial login screen.
Privacy Act Statement
Authority: Title 10 U.S.C. 8013 and DODI 3001.02
Purpose: To provide a means of positive identification for the purpose of processing applications or retrieving data.
Routine Uses: None
Disclosure: Voluntary. Failure to provide the requested information may result in a delay or termination of your request.
Privacy Act Information is not shared from this system to any other system or user. SSN and DOB information entered into NFAAS is
encrypted and compared with SSN and DOB information residing in Defense Manpower Data Center (DMDC), an Authoritative Data
Source for the Department of Defense. SSN and DOB are not displayed in NFAAS in any form and are not used for any other purpose than
U.S Navy-approved personnel accountability.
Privacy and Security Notice
Navy Family Accountability and Assessment System (NFAAS) is committed to protecting your privacy. Therefore, your use and
implementation of the information and information request forms included in this Web site are covered under the following guidelines.
1. The Navy Family Accountability and Assessment System (NFAAS) is provided as a Navy-wide service by the Assistant Chief of Naval
Operations for Information Technology (ACNO-IT).
2. Information presented on NFAAS is considered FOUO information and may not be distributed or copied. Use of appropriate byline/
photo/image credits is requested.
3. Personal information on this system is protected under the Privacy Act Office of The U.S Department of The Navy. The authority for the
collection of this information is listed in the Department of Defense Privacy Act Systems of Record Notice DPR 39 DOD dated 24 March
2010.
4. For site management, information is collected for statistical purposes. This government computer system uses software programs to
create summary statistics, which are used for such purposes as assessing what information is of most and least interest, determining technical
design specifications, and identifying system performance or problem areas.
5. For site security purposes and to ensure that this service remains available to all users, this government computer system employs
software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.
6. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits. Raw
data logs are used for no other purposes and are scheduled for regular destruction in accordance with National Archives and Records
Administration Guidelines. All data collection activities are in strict accordance with DoD Directive 5240.1.
7. Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under
the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.
8. If you have any questions or comments about the information presented here, please forward them to [email protected].
Cookie Disclaimer.
NFAAS does not use persistent cookies, i.e., tokens that pass information back and forth from your machine to the server and remain after
you close your browser. NFAAS does use session cookies, i.e., tokens that remain active only until you close your browser, in order to make
this site easier for you to use and to operate the Single Sign On (SSO) authentication and authorization services. No database of information
obtained from these cookies is kept and when you close your browser, the cookie is deleted from your computer. NFAAS uses cookies in the
following ways:
1. Establish authentication and authorization to the NFAAS and various applications designated to the user;
2. Provide personalized theme and content;
3. Monitor account activity and idle times.
If you choose not to accept cookies the Navy Family Accountability and Assessment System will not function properly, and you will be
required to re-authenticate multiple times. The help information in your browser software should provide you with instruction on how to
enable cookies.

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

AEM Designer

Page 2 of 10

h. With whom will the PII be shared through data exchange, both within your DoD Component and outside your Component? (Check all that apply)

Within the DoD Component

Authorized users from DeCA, DoDEA, DoDIG, TMA,
MDA, DTIC, DLA and its serviced activities (i.e., DHRA,
DMEA, and BTA) WHS and its serviced components (i.e.,
OSD, DARPA, DTRMC, OEA, DTSA, DLSA, DPMO,
DSCA, & PFPA). Each organization will only have access
Specify.
to its own employees records and those of serviced
organizations. Other authorized users may be Call Center
personnel, Commanding Officer representatives, Fleet and
Family support Case managers, and Exceptional Family
Member Program authorized personnel.

Other DoD Components

Specify.

Defense Manpower Data Center (DMDC)

Other Federal Agencies

Specify.

United States Coast Guard (USCG)

State and Local Agencies

Specify.

Contractor (Name of contractor and describe the language in
the contract that safeguards PII. Include whether FAR privacy
clauses, i.e., 52.224-1, Privacy Act Notification, 52.224-2,
Privacy Act, and FAR 39.105 are included in the contract.)

Specify.

Other (e.g., commercial providers, colleges).

Specify.

i. Source of the PII collected is: (Check all that apply and list all information systems if applicable)
Individuals

Databases

Existing DoD Information Systems

Commercial Systems

Other Federal Information Systems

Defense Manpower Data Center (DMDC) populates Personnel Accountability Reporting System (PARS) fed from various data sources to
include: Navy Manpower Program and Budget System (NMPBS); Navy-Marine Corps Mobilization Processing System (NMCMPS);
Medical Readiness Reporting System (MRRS); Defense Civilian Personnel Data System (DCPDS), and Defense Eligibility Enrollment
Reporting System (DEERS) to ultimately populate NFAAS. Individual and/or service members provide additional information for personal
cell phone number, e-mail address, and a written consent from their spouse or adult dependent(s) to collect PII and disability information.
j. How will the information be collected? (Check all that apply and list all Official Form Numbers if applicable)
E-mail

Official Form (Enter Form Number(s) in the box below)

Face-to-Face Contact

Paper

Fax

Telephone Interview

Information Sharing - System to System

Website/E-Form

Other (If Other, enter the information in the box below)

If an individual is not in the system, he/she can call a Call center, or a Commanding Officer Representative that can add them to the system
using the PII information that they provide. The only required fields to create a person are the SSN, Name, and the email address. These are
input via a web-based form.
k. Does this DoD Information system or electronic collection require a Privacy Act System of Records Notice (SORN)?
A Privacy Act SORN is required if the information system or electronic collection contains information about U.S. citizens or lawful permanent U.S. residents that
is retrieved by name or other unique identifier. PIA and Privacy Act SORN information must be consistent.
Yes

No

If "Yes," enter SORN System Identifier

N01754-4

SORN Identifier, not the Federal Register (FR) Citation. Consult the DoD Component Privacy Office for additional information or http://dpcld.defense.gov/
Privacy/SORNs/
or
If a SORN has not yet been published in the Federal Register, enter date of submission for approval to Defense Privacy, Civil Liberties, and Transparency
Division (DPCLTD). Consult the DoD Component Privacy Office for this date

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

AEM Designer

Page 3 of 10

If "No," explain why the SORN is not required in accordance with DoD Regulation 5400.11-R: Department of Defense Privacy Program.

l. What is the National Archives and Records Administration (NARA) approved, pending or general records schedule (GRS) disposition authority
for the system or for the records maintained in the system?
(1) NARA Job Number or General Records Schedule Authority.
(2) If pending, provide the date the SF-115 was submitted to NARA.

GRS 4.2 (Information Access and Protection Records)
12/1/2017

(3) Retention Instructions.

Collection, Use, Processing: Individual privacy risk is minimized to the greatest extent possible. The data is collected from 2 sources,
DMDC and Navy personnel, via secure protocols and encrypted channels. Data is protected at each stage and is only available to DoD and
DON authorized users responsible for the status and whereabouts of Navy personnel following a disaster or for recording exceptional family
member program enrollments. Privacy data (contact information) is available to users who are expected to observe Privacy Data from
unauthorized disclosure. Therefore, the only affect to an individual's privacy would be from unauthorized disclosure by an authorized user.
Retention and Disclosure: Data in the system is stored in a database that encrypts and hashes information to protect any direct access, or
human readable access to the data. The areas where the equipment with which this data resides on are monitored and have controlled access.
Access to records or information in the Database is limit to those officials who have been properly screened and trained or have a need to
know consistent with the purpose for which the information was collected. The threshold for need to know is strictly limited to those
personnel who are responsible for personnel Accountability, family support, and exceptional family program officials. Information
maintained in computer databases requires password protection and/or Common Access Card (CAC) access. Data is protected from
unauthorized access by using role-based access permissions. Privacy data (contact information) is available to users who are expected to
observe Privacy Data from unauthorized disclosure. Therefore, the only affect to an individual's privacy would be from unauthorized
disclosure by an authorized user. All contact data is retained indefinitely, or until the authorized user (individual, family, command, etc)
updates it. DEERs data for the individual is overwritten with each data refresh (every 30 days).
Destruction: Data is destroyed in accordance with the Navy's Record Management Manual; longer retention is authorized if needed for
business use. https://www.archives.gov/records-mgmt/grs.html
m. What is the authority to collect information? A Federal law or Executive Order must authorize the collection and maintenance of a system of
records. For PII not collected or maintained in a system of records, the collection or maintenance of the PII must be necessary to discharge the
requirements of a statue or Executive Order.
(1) If this system has a Privacy Act SORN, the authorities in this PIA and the existing Privacy Act SORN should be similar.
(2) If a SORN does not apply, cite the authority for this DoD information system or electronic collection to collect, use, maintain and/or disseminate PII.
(If multiple authorities are cited, provide all that apply).
(a) Cite the specific provisions of the statute and/or EO that authorizes the operation of the system and the collection of PII.
(b) If direct statutory authority or an Executive Order does not exist, indirect statutory authority may be cited if the authority requires the
operation or administration of a program, the execution of which will require the collection and maintenance of a system of records.
(c) If direct or indirect authority does not exist, DoD Components can use their general statutory grants of authority (“internal housekeeping”) as
the primary authority. The requirement, directive, or instruction implementing the statute within the DoD Component must be identified.

SORN Authorities:
--10 U.S.C. 5013, Secretary of the Navy
--10 U.S.C. 3013, Secretary of the Army
--10 U.S.C. 8013, Secretary of the Air Force
--10 U.S.C. 136, Under Secretary of Defense for Personnel and Readiness
--DoD Instruction 3001.02, Personnel Accountability in Conjunction with Natural Disasters or National Emergencies
--Air Force Instruction 36-3803, Personnel Accountability in Conjunction with Natural Disasters or National Emergencies
--OPNAVINST 3006.1, Personnel Accountability in Conjunction with Catastrophic Events
--SECNAV Instruction 1754.5B, Exceptional Family Member Program
--HQDA EXORD 118-12, Army Disaster Personnel Accountability (DPA) Program and ADPAAS
--E.O. 9397 (SSN), as amended.
n. Does this DoD information system or electronic collection have an active and approved Office of Management and Budget (OMB) Control
Number?

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

AEM Designer

Page 4 of 10

Contact the Component Information Management Control Officer or DoD Clearance Officer for this information. This number indicates OMB approval to
collect data from 10 or more members of the public in a 12-month period regardless of form or format.
Yes

No

Pending

(1) If "Yes," list all applicable OMB Control Numbers, collection titles, and expiration dates.
(2) If "No," explain why OMB approval is not required in accordance with DoD Manual 8910.01, Volume 2, " DoD Information Collections Manual:
Procedures for DoD Public Information Collections.”
(3) If "Pending," provide the date for the 60 and/or 30 day notice and the Federal Register citation.

007-000001728

DD FORM 2930, JUN 2017

PREVIOUS EDITION IS OBSOLETE.

AEM Designer

Page 5 of 10