Office of the Chief Information Officer &
High Performance Computing and Communications

NOAA Privacy Web page

NOAA Privacy Team

1. Ed Kearns, Chief Data Officer, ed.kearns@noaa.gov, 828-350-2410
2. Mark Graff, Bureau Chief Privacy Officer, mark.graff@noaa.gov, 301-628-5658
3. Sarah Brabson, Bureau Privacy Act Officer (and initial contact for PIA and PTA review), sarah.brabson@noaa.gov, 301- 628-5751
4. Eric Williams, Bureau Privacy Breach Lead, eric.d.williams@noaa.gov, 301-713-9111

DOC Chief Privacy Officer/Senior Agency Official for Privacy (SAOP): Catrina Purvis: CPurvis@doc.gov

Federal agencies are required by law to protect information about individuals (members of the public, Federal employees and contractors) which they may collect, disseminate and/or store.

The Privacy Act of 1974 (5 USC 552a) regulates the Federal Government's collection, use, maintenance, and dissemination of information about individuals. The Act establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

Personally Identifiable Information (PII) and Business Identifiable Information (BII)

The term “personally identifiable information” refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as gender, date and place of birth, mother’s maiden name, etc. Name and contact information are PII.

Sensitive PII: (from OMB M-07-16, below): Using a best judgment standard, the sensitivity of certain terms, such as personally identifiable information, can be determined in context. For example, an office directory contains personally identifiable information (name, phone number, etc.). In this context the information probably would not be considered sensitive; however, the same information in a database of patients at a clinic which treats contagious disease probably would be considered sensitive information. PII that is always considered sensitive includes the social security number and any financially-related numbers such as credit card numbers and checking accounts.

The Department of Commerce (DOC) also requires protection of Business identifiable information (BII) :BII consists of information that is defined in the Freedom of Information Act (FOIA) as "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential." (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. "Commercial" is not confined to records that reveal basic commercial operations but includes any records [or information] in which the submitter has a commercial interest and can include information submitted by a nonprofit entity.

Here is an overview of the same information about PII and BII in a brochure published by DOC's Privacy Program.

NOAA Privacy Training Slides: March 9, 2016

Privacy-Related Statutes and Memoranda

DOC Office of Privacy and Open Government Privacy Laws and Regulations Page

NOAA Privacy Reports (brief version of most recent NOAA Monthly Privacy report)

Here is the NOAA Data Loss Prevention Plan, signed by Zach Goldstein on August 30, 2016. The related DOC memorandum is here.

The NOAA Privacy Policy was signed by Zach Goldstein on May 30, 2017.

The NOAA Unmanned Aircraft Systems Privacy Policy was signed by Zach Goldstein on March 28, 2017.

DOC and NOAA Privacy Control Allocations and Artifacts -basic information regarding privacy controls assessment.

NOAA Privacy Control Allocations and Implementation Statements

PIA template with cross-references to Privacy Controls - not for use in writing PIAs, but for auditors, as a tool for reviewing implementation of privacy controls

Excerpt from the new OMB A-130 circular regarding encryption of data at rest: Encrypt all FIPS 199 moderate-impact and high-impact information at rest and in transit, unless encrypting such information is technically infeasible or would demonstrably affect the ability of agencies to carry out their respective missions, functions, or operations; and the risk of not encrypting is accepted by the authorizing official and approved by the agency CIO, in consultation with the SAOP (as appropriate); (see A-130 on statutes and memoranda page, and instructions also in the NOAA PIA Guidance, Section 8.2.

Privacy Threshold Analysis

See the Privacy Threshold Analysis (PTA) template.

First, ensure that a system description is included; the recommendation is to use the one in CSAM (short system/purpose description).

Then, follow the instructions to determine if a PIA is needed. NOTE: the current PTA template states that not all questions need to be answered, if the answer to Question 1 indicates a PIA is not needed. However, we request that you answer all questions, to have a clear record of whether the system has PII or BII and from whom it is collected. Also, BEFORE collecting the required signatures on the PTA, please send to Sarah. Brabson@noaa.gov the Word version for review. Signatures: as with the PIA, no co-AO signature is needed.

Privacy Impact Assessments

Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new technology(e.g. an electronic database) involving the collection, maintenance or dissemination of personally identifiable information or that make substantial changes to existing technology for managing information in identifiable form. The Office of Management and Budget (OMB) ensures that PIAs necessitated under the E-Government Act are completed by requiring them as part of the annual budget process.

A PIA is an analysis of how personally identifiable information is collected, stored, protected, shared and managed. “Personally identifiable information” (PII) is defined as information in a system or online collection that directly or indirectly identifies an individual whether the individual is a U.S. Citizen, Legal Permanent Resident, or a visitor to the U.S. Please refer to the NOAA PIA Guidance and template for basic instructions, as well as additional DOC guidance for new questions in the 2015 PIA template. Please contact Sarah Brabson, NOAA OCIO Privacy Coordinator, (301) 628-5751, or Sarah.Brabson@noaa.gov foradditional guidance. OMB's Guidance for Implementing Section 208 also provides background information. NOTE: Please do not convert the PIA document to pdf, so that reviewers may edit and comment easily.

DOC Memo of November 18, 2014, citing M-14-04, and stating policy that the NIST 800-53 Rev 4 Privacy Controls must be implemented.

DOC PIA Annual Review Certification Form - This fillable pdf form should be submitted to DOC when there are no new privacy risks for a system. A new certification can be done up to 3 years since the last Commerce Compliance Review Board (CRB). There is a system reviewer signature required, a Privacy Act Officer signature required, and a signed review of privacy and security risks by Mark Graff.

The PIA last approved through a Compliance Review Board needs to accompany the certification, with new signatures AND an updated ATO date. Question 1.1 should be changed to "no new privacy risks" if the previous response was different. Finally, Sections 12.1 and 12.2 should both be "no", with 'yes' and explanations removed.

We will also submit the current PTA to DOC, updated if needed to state that there are no new privacy risks.

Privacy Act System of Record Notices (SORNs)

Any system of records as defined in section (a)(5) of the Privacy Act (“ . . .a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual”) and noted in a System of Records Notice (SORN) in the FEDERAL REGISTER either by the Department of Commerce or by another Federal agency. Each PIA must be covered by at least one SORN.

Please go here for a listing of current NOAA SORNs and a link to DOC SORNs.

Exemptions to the Privacy Act: All Exemptions to the Privacy Act have been included within the Federal Register Notice for the applicable SORN, listed here:

PRIVACY ACT REQUESTS (for individuals who wish to request access to, or amendment of, their records) These requests need to be submitted pursuant to 15 CFR 4.24. Here is the template language, also provided through FOIAOnline, fir those making such requests.

Related Requirement which MAY apply:

The collection of information also may require approval by OMB under the Paperwork Reduction Act. For more information on Paperwork Reduction Act (PRA) requirements, please go to the Paperwork Reduction Act Home Page or contact Sarah Brabson (who is also the NOAA PRA Clearance Officer).

Approved NOAA PIAs:

NOAA Cyber Security Center (NOAA0100) - approved 11/9/2017

NOAA Web Operations Center (NOAA0201) - approved 1/11/2018

NOAA R&D HPCS (NOAA0500) - approved 2/27/2018

NOAA Environmental Security Computing Center (NOAA0520) - approved 1/17/218

NOAA Information Technology Center (NOAA1101), approved 7/6/2018

NOAA Corporate Services Local Area Network (LAN) (NOAA1200) - approved 3/21/2018

NOAA Everbridge Mass Notification System (ENS) (NOAA0900) - approved 2/28/2018

NOAA Office of Marine and Aviation Operations Ship Fleet Support System - approved 10/21/2016

NOAA NMFS Headquarters Wide Area Network and Enterprise Services (NOAA4000) - approved 9/13/2018

NOAA NMFS Permits and Landing System (NOAA4011) - approved 2/28/2018

NOAA NMFS Greater Atlantic Region Office Network (NOAA4100) - approved 9//20/2018