Download:
pdf |
pdf(INSERT CLASSIFICATION/CONTROL
MARKINGS, IF APPROPRIATE)
United States Department of Justice
Office of Privacy and Civil Liberties (OPCL)
Information Collection Request-Privacy Assessment
Instructions & Template
(Revised
3/30/2018)
What is an Information
Collection Request-Privacy
Act Statement Assessment?
An Information
Collection Request-Privacy
Assessment (ICR-P A) assesses whether your ICR I contains a collection
instrument that requires privacy-related notices, either directly on the form, or on a separate form that can
be retained by the individual. Specifically, the ICR-PA is a tool used to assess whether the ICR requests
personally identifiable information(PII);2 whether Privacy Act requirements apply to the ICR; what
system of records notices, if any, apply to the ICR; what information is necessary to prepare a legally
compliant Privacy Act Statement; and whether any other relevant privacy notices are required as part of a
component's ICR.
Why is an Information
Collection Request-Privacy
Assessment necessary?
The numerous
requirements regarding the collection of PH and ICRs are distinct, but very much related.
I.
The Privacy Act of 1974
Under the Privacy Act of 1974, 5 U.S.C. § 552a, a "record,,3 maintained in a "system of
records,,4 establishes certain collection, use, maintenance, and dissemination requirements for
Federal agencies, while also providing certain rights to individuals on whom the record
pertains. Specifically, each agency must provide a "Privacy Act Statement" when requesting
individuals to provide information to the agency that will be maintained as a record about the
1 For more information regarding the 001 ICRs process, please review The b!/ormation Collection/Paperwork
Reduction Act
Standards & Procedures.
2 The term "personally identifiable information" is defined as "information that can be used to distinguish or trace an individual's
identity, either alone or when combined with other information that is linked or linkable to a specific individual." OMB Circular
A-I30, Managing in.formation as a Strategic Resource. 81 Fed. Reg. 49689 (July 28, 2016).
) The term "record" means any item, collection, or grouping of information about an individual that is maintained by an agency,
including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that
contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual. such as a finger
or voice print or a photograph. 5 U.S.c. § 552a(a)(4).
4 The term "system of records" means a group of any records under the control of any agency from which infonnation is retrieved
by the name of the individual or by some identifying number. symbol. or other identifying particular assigned to the individual. 5
U.S.c. § 552a(a)(5).
(INSERT CLASSIFICATION/CONTROL
1
MARKINGS, IF APPROPRIATE)
�IINSERT CLASSIFICATION/CONTROL
MARKINGS, IF APPROPRIATE I
individual in a system of records. The Privacy Act Statement must appear on the form used to
collect the information or on a separate form that can be retained by the individual, and must
contain the following:
(A) the authority (whether granted by statute, or by executive order of the President)
which authorizes the solicitation of the information;
(B) whether disclosure of such information is mandatory or voluntary;
(C'J the principal purpose or purposes for which the information is intended to be used;
(D) the routine uses which may be made of the information, as published pursuant to
paragraph (4)(D) of this subsection; and
(E) the effects on him, if any, of not providing all or any part of the requested
information. 5
The Privacy Act also places strict notice requirements when requesting Social Security
Numbers (SSNs). Specifically, ifan agency requests an individual to disclose his/her SSN
(regardless of whether the number is part of a record maintained in a system of records), the
agency must inform the individual:
(A) whether that disclosure is mandatory or voluntary;
(B) by what statutory or other authority such number is solicited; and
(C ) what uses will be made of it.
II.
OMB Memorandum M-17-06: Collecting Personally Identifiable Information Using an
Online Interface
OMB Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital
Services (Nov. 8,2016),6 places additional privacy requirements on information collections
that utilize an online interface (e.g., collecting information through a 001 webpage). A
privacy notice must be provided, whenever feasible, where a Privacy Act Statement is not
required but members of the public could nonetheless provide PH to the agency using an
online interface. The privacy notice should include a brief description of the agency's
practices with respect to the PH that the agency is collecting, maintaining, using, or
disseminating.
III.
The Paperwork Reduction Act
In an effort to avoid overburdening the public with federally sponsored data collections,
Congress passed the Paperwork Reduction Act of 1995,44 U.S.c. §§ 3501-3521, which
requires Federal agencies to obtain Office of Management and Budget (OMB) approval
before requesting or collecting many types ofinformation7 from the public. To comply with
the Paperwork Reduction Act, Federal agencies must complete an ICR for submission to
OMB, prior to engaging in the collection of information, which consists of:
55 U.S.C. § 552a(e)(3).
6 Exec. Office of the President Memorandum for the Heads of the Executive Departments and Agencies, M-17 -06, Off. of Mgmt.
& Budget (Nov. 8,2016), htrps:llwww.whitchousc.gov/sites/whitchollsc.gov/filcs/ombImcmoranda;20
17/m-17-06.pdf.
70MB regulations define "information" for purposes of the Paperwork Reduction Act as "any statement or estimate offact or
opinion. regardless of form or format. whether in numerical. graphic. or narrative form, and whether oral or maintained on paper,
electronic or other media." 5 C.F.R. 1320.3(h). This includes: "( I) requests for information to be sent to the government. such as
forms ... written reports ... and surveys ... ; (2) recordkeeping requirements ... ; and (3) third-party or public disclosures ...
." Office of Management and Budget Memorandum, Information Collection under the Paperwork Reduction Act" at 2 (Apr. 7,
2010).
(INSERT CLASSIFICA TION/CONTROL MARKINGS, IF APPROPRIA TEl
2
�IINSERT CLASSIFICATION/CONTROL
MARKINGS, IF APPROPRIATE)
(A) a description of the information sought;
(B) the justification and authority for collecting the information sought;
(C ) the process for carrying out the collection; and
(D) the estimated burden of the collection on respondents and the Government.
OMB requires each agency to provide certain privacy-related information as part of all
agency ICR requests. Specifically, OMB requires agencies to answer two questions
regarding the ICR when reported to OMB:
(A) Does this ICR request any personally identifiable information?
(B) Does this ICR include a form that requires a Privacy Act Statement?
Overall, the ICR-PA will assist components in properly answering OMB's privacy-related questions, and
complying with relevant privacy laws and policies.
When should an Information Collection Request-Privacy Assessment be completed? An ICR-P A
should be completed as soon as a component determines that its ICR will utilize/develop an instrument
for the collection of information, or structured fields to collect information electronically. An ICR-PA
should be completed for any new information collections, or when seeking an extension for an existing
information collection that has not previously completed an ICR-P A. If the ICR contains multiple
collection instruments, a separate assessment should be completed for each instrument. Components must
complete the ICR-PA, and any required notices, prior to uploading the ICR request into the RISC and
OIRA Consolidated Information System (ROCIS), as detailed in The United States Department of Justice,
Information Collection/Paperwork Reduction Act Standards & Procedures.
Who should prepare the Information Collection Request-Privacy Assessment? An ICR-PA should
be completed by the Component Program Manager, and should be coordinated with the component PRA
Coordinator, Senior Component Official for Privacy (SCOP) (or other appropriate component privacy
representative), and the program-specific office responsible for the information collection.
Where should the prepared Information Collection Request-Privacy Assessment be sent? A
completed ICR-PA will certify to the Department Clearance Officer that the Program Manager has
accurately contemplated the new privacy-related questions, and can accurately answer the questions in its
ROCIS submission to OMB OIRA. Components should retain the ICR-PA in their internal records, which
can be requested at any time by the Department Clearance Officer or OPCL.
How is the ICR-PA related to a traditional Initial Privacy Assessment? An Initial Privacy
Assessments (lPA) is the first step in a process developed by OPCL to assist DOJ components identify
privacy compliance issues for DO] information collections and systems. Specifically, the IPA is a tool
used to facilitate the identification of potential privacy issues, assess whether additional privacy
documentation is required, and ultimately, ensure the Department's compliance with applicable privacy
laws and policies.
It is likely that an information collection sent through the ICR process that collects PH will be
required to meet additional privacy-related requirements, beyond those discussed in the ICR-PA.
It is highly recommended that you discuss the full collection, use, maintenance, and dissemination
processes related to this ICR with your SCOP as soon as you contemplate a new collection of
information.
(INSERT CLASSIFICATION/CONTROL
3
MARKINGS, IF APPROPRIA TEl
�(INSERT CLASSIFICATION/CONTROL
MARKINGS,
IF APPROPRIATE!
NAME OF INFORMATION COLLECTION REQUEST: MonthlyReturn of Arson Offenses Knownto Law Enforcement
OMB CONTROL NUMBER (IF APPLICABLE): 1110-0008
COMPONENT: CriminalJustice InformationServices (CJIS) Division/FederalBureau of Investigation(FBI)
COMPONENT PRA COORDINATOR
Name: Malissa C. Vavra
Office: Crime and Law Enforcement Statistics Unit
Phone: 304-625-3010
Bldg.lRoom Number: CJISIDI
Email: [email protected]
PROGRAM MANAGER (OR PROGRAM MANAGER
DELEGATE)
Name: Edward L.Abraham
Office: Crime and Law EnforcementStatistics Unit
Phone: 304-625-4830
Bldg./Room Number: CJIS/D1
Email: elabraham@fbLgov
SENIOR COMPONENT OFFICIAL FOR PRIVACY
(where applicable) OR COMPONENT PRIVACY
POINT OF CONTACT
Name: KatherineM. Bond
Office: Privacyand CivilLiberties
Phone: 304-625-3190
Bldg.lRoom Number: CJIS/C3
Email kmbond@fbLgov
ICR-PA Certification & Signature
On behalf of my component,
I certify that:
(I) I have reviewed all collection instruments associated with this ICR;
the ICR-PA below for the collection instrument(s) associated with this ICR;
(3) I have coordinated closely with the component PRA Coordinator and SCOP (or other appropriate component
privacy representative) in assessing and answering each of the ICR-PA questions below;
(4) To the extent the collection instrument(s) associated with this ICR require(s) a privacy-related notice(s), I have
coordinated internally to ensure that the appropriate notice(s) haslhave been drafted; that the notice(s) is/are
conspicuous, salient, clearly labeled, and written in plain language; and that the notice(s) is/are appropriately
displayed as required by law or policy; and
(5) I will reassess the information in this ICR-PA, in accordance with the Department's ICR process, should the
instrument(s) associated with this ICR materially change.
(2) I have completed
Program Manager Name:
Edward L. Abraham
Program Manager Signature:
~---
Date signed:
Please prepare the fCR-PA per the guidance provided in the questions on the template
below. If the ICR contains multiple collection instruments an assessment should be
completed for each instrument
(INSERT CLASSIFICATION/CONTROL
4
MARKINGS,
IF APPROPRIATE)
�(INSERT CLASSIFICA TION/CONTROL
MARKINGS, IF APPROPRIATE)
ICR Instrument Name:
Monthly Return of Arson Offenses Known to Law Enforcl
OMB Control Number (if applicable):
_11_1_0-_00_0_8
_
I. Which of the following describes the collection.
o
Electronic only.
D Paper only.
D Combination paper/electronic.
2. Does the ICR include a collection instrument (either physical or electronic)?
o
Yes. [If you marked "Yes." proceed to question 3].
D
No. [lfyou marked "No," STOP here. Additional privacy statements are not
necessary forthis collection].
3. Please indicate if any of the following characteristics apply to the information collected:
(Check all that apply.)
D The information directly identifies specific individuals.
D The information is intended to be used, in conjunction with other data elements, to
indirectly identify specific individuals.
D
The information can be used to distinguish or trace an individual's identity (i.e., it
is linked or linkable to specific individuals).
[If you marked any of the above. proceed to question 4.]
o None of the above.
[If you checked "None of the above," STOP here. Additional privacy statements are not
necessary for this collection].
4. Is the component requesting an individual to disclose hislher Social Security Number (SSN)?
D No.
[If you marked "No." proceed to question 5].
D
Yes. [A SSN Statement may be required, pursuant to the Privacy Act. Coordinate
with your SCOP to draft an appropriate statement. Proceed to the next questions to
determine whether additional notifications are required].
IINSERT CLASSIFICATION/CONTROL
5
MARKINGS,
IF APPROPRIATE)
�[INSERT CLASSIFICATION/CONTROL
MARKINGS, IF APPROPRIA TEl
5. Is the component collecting the information using an online interface (e.g., a webpage)?
D No.
[If you marked "No:' proceed to question 6].
D Yes. [A privacy notice may be required. pursuant to OMB M-17-06. Coordinate
with your SCOP to draft an appropriate statement. Proceed to the next questions to
determine whether additional notifications are required].
6. Will information about United States citizens or lawfully admitted permanent resident aliens be
retrieved from the instrument by a personal identifier (e.g., by name)?
D No. [If you marked "No:' STOP here. Additional privacy statements are not
necessary for this collection, but you may have additional privacy-related
requirements beyond those discussed in this ICR-PA. Consult your SCOP to
identify additional privacy-related requirements, if any.]
DYes,
[If you marked "Yes," proceed to question 7].
7. Is there an existing Privacy Act System of Records Notice (SORN) that has been published in
the Federal Register that will sufficiently cover this new collection? (Please consult with your
component's SCOP, Privacy Act officer, General Counsel, or OPCL if assistance is needed in
responding to this question.)
D No. [If you marked "No," contact your SCOP/OPCL. An accurate SORN must
be published before a component may collect this information].
DYes.
[If you marked "Yes," proceed to question 8].
8. Does the existing SORN properly reflect this new information to be collected? (Please consult
with your component's SCOP, Privacy Act officer, General Counsel, or OPCL if assistance is
needed in responding to this question.)
D No. [If you marked "No," contact your SCOP/OPCL. An accurate SORN must
be published before a component may collect this information).
D
Yes. [A Privacy Act Statement may be required, pursuant to the Privacy Act.
Coordinate with your SCOP to draft an appropriate statement].
(INSERT CLASSIFICATION/CONTROL
6
MARKINGS, IF APPROPRIA TEl
�
| File Type | application/pdf |
| File Modified | 2023-11-03 |
| File Created | 2023-11-03 |