Review Privacy Compliance and Privacy Risk

REVIEW PRIVACY COMPLIANCE AND PRIVACY RISK Federal law and policy establish requirements for the proper handling of PII. To both ensure compliance with those requirements and manage privacy risks, SAOPs are required to review agency HVAs and identify those that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII. For each HVA identified in the SAOP’s review, the SAOP shall ensure that all required privacy documentation and materials are complete, accurate, and up-to­ date. This includes the information system’s privacy plan, a formal document that details the privacy controls in place or planned for an information system or environment to meet applicable privacy requirements and manage privacy risks, how the controls have been implemented, and the methodologies and metrics used to assess the controls. The plan also includes documentation required by the Privacy Act of 1974 (5 U.S.C. § 552a) (e.g., systems of records notices and Privacy Act Statements), the privacy provisions of the E-Government Act of 2002 (i.e., privacy impact assessments (PIAs)), Federal Information System Modernization Act of 2014 (FISMA), and relevant OMB guidance.

In addition, each agency’s SAOP shall ensure that when PIAs are required for HVAs, they remain current and accurately reflect the information created, collected, used, processed, stored, maintained, disseminated, disclosed, or disposed of by the HVA. Further, these PIAs should be updated regularly to reflect any changes made to the information technology, agency practices, or HVAs that substantively alter the privacy risks associated with the use of such IT. The PIAs should appropriately document privacy risks and the controls required to mitigate those risks. Finally, SAOPs should ensure they have a reliable process in place to identify and assess on an ongoing basis any changes to the HVAs that may impact privacy risk and/or that may result in the need for additional or modified privacy documentation as part of the agency’s PCM program and PCM strategy as required by OMB Circular No. A-130.