Compliance with this Policy shall be incorporated into applicable contract, grant, or memoranda of agreement language under separate cover, as appropriate. All organizations collecting or maintaining information or using or operating information systems on behalf of the Department are also subject to the stipulations of this Policy. This Policy also applies to HHS employees, contractor personnel, grant recipients, interns, and other non-government persons supporting HHS. This Policy does not supersede any other applicable law or higher level Agency directive, nor does it supersede any existing labor management agreement in effect as of the effective date of this Policy. HHS Operating Divisions (OpDivs) shall adopt and implement this Policy or may create a more restrictive policy, but not one that is less restrictive or less comprehensive than this Policy. This Policy applies to all HHS components, as well as organizations conducting business for or on behalf of HHS through contractual, grant-making, or other relationships. This Policy does not apply to the use of third-party websites and applications (e.g., Third-Party Website and Applications PIAs). This Policy applies to HHS’s federal information and information systems, as defined in the Federal Information Security Modernization Act (FISMA), and electronic information collections, but does not apply to national security systems. Given that HHS handles a large amount of PII, it is critical that responsible organizations follow the requirements set forth in this Policy to protect PII and retain the public’s trust. Internal PIAs are used when an IT system or electronic information collection collects, disseminates, maintains, or disposes of PII only about HHS employees or direct contractors. PIAs also provide transparency into how HHS collects, disseminates, maintains, or disposes of the public’s PII. PIAs are used to assess the privacy risks of IT systems and electronic information collections that collect, disseminate, maintain, or dispose of PII about members of the public. If the analysis determines that the IT system or electronic information collection collects, disseminates, maintains, or disposes of PII, a PIA or Internal PIA shall also be required. PTAs analyze how information is handled in IT systems and electronic information collections.
This process is documented in PTAs, PIAs, and Internal PIAs. To ensure that the public’s personal information is protected in a manner commensurate with the privacy risks, HHS uses a privacy analysis process to assess the risks associated with HHS’s collection and maintenance of PII and to ensure information is handled in accordance with applicable legal, regulatory, and policy requirements. This public trust carries with it a corresponding responsibility that HHS protect and safeguard the information while it is being stored, transmitted, and shared by HHS. The public entrusts HHS with a wide array of personal information ranging from basic identifiers, such as name and Social Security number, to more complex data, such as an individual’s genomic sequence or medical history. This Policy is supplemented by additional guidance that describes in greater detail the actions and activities that shall be taken to conduct and review PTAs, PIAs, and Internal PIAs at HHS. The purpose of this Policy is to set forth the minimum HHS PTA, PIA, and Internal PIA requirements, as well accompanying review and publication processes. The E-Government Act of 2002 and Office of Management and Budget (OMB) Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, require agencies to perform PIAs before developing, procuring, or using information technology (IT) systems or projects that collect, disseminate, maintain, or dispose of personally identifiable information (PII) or initiating, consistent with the Paperwork Reduction Act (PRA), a new electronic collection of PII from ten or more individuals. The Policy was updated to align with current HHS Privacy Threshold Analysis (PTA), PIA, and Internal PIA processes. Department of Health and Human Services (HHS) Policy for Privacy Impact Assessments (PIA) updates and supersedes the previous version (HHS-OCIO-2009-0002.001, dated February 9, 2009). Operating Division Senior Official for Privacy (or Designee) HHS Senior Agency Official for Privacy (or Designee) Agencies or Sub-components with Specific Government-wide Guidance Executive Orders, Memoranda, and Directives Applicable Laws, Policies, and Guidance.Document Number: HHS-OCIO-PIM-3 Table of Contents
0 kommentar(er)
