Title 1

SECTION 603.18

603.18 Privacy Impact Assessments.

§ 603.18 Privacy Impact Assessments.

(a) Consistent with the requirements of the E-Government Act and OMB Memorandum M-03-22, the NCPC shall conduct a PIA before:

(1) Developing or procuring IT systems or projects that collect, maintain, or disseminate IIF; or

(2) Installing a new collection of information that will be collected, maintained, or disseminated using IT and includes IIF for 10 or more persons (excluding agencies, instrumentalities or employees of the federal government).

(b) The PIA shall be prepared through the coordinated effort of the NCPC's privacy Officers (SAOP, PAO), Division Directors, CIO, and IT staff.

(c) As a general rule, the level of detail and content of a PIA shall be commensurate with the nature of the information to be collected and the size and complexity of the IT system involved. Specifically, a PIA shall analyze and describe:

(1) The information to be collected;

(2) The reason the information is being collected;

(3) The intended use for the information;

(4) The identity of those with whom the information will be shared;

(5) The opportunities Individuals have to decline to provide the information or to consent to particular uses and how to consent;

(6) The manner in which the information will be secured; and

(7) The extent to which the system of records is being created under the Privacy Act.

(d) In addition to the information specified in paragraphs (b)(1)-(7) of this section, the PIA must also identify the choices NCPC made regarding an IT system or collection of information as result of preparing the PIA.

(e) The CCB shall verify that a PIA has been prepared prior to approving a request to develop or procure information technology that collects, maintains, or disseminates Information in Identifiable Form.

(f) The SAOP shall approve and sign the NCPC's PIA. If the SAOP is the Contracting Officer for the IT system that necessitated preparation of the PIA, the Executive Director shall approve and sign the PIA.

(g) Following approval of the PIA, the NCPC shall post the PIA document on the NCPC Web site located at www.ncpc.gov.