Defense Information Systems Agency recognizes the importance of protecting the privacy of its customers and employees, especially as it modernizes its information management systems as well as employee information systems. Privacy issues must be addressed when systems are developed and privacy protections must be integrated into the development life cycle of these automated systems. The vehicle for addressing privacy issues in a system under development is the Privacy Impact Assessment (PIA). The PIA process also provides a means to assure compliance with applicable laws and regulations governing customer and employee privacy.
Section 208 of the E-Government Act of 2002 establishes Government-wide requirements for conducting, reviewing, and publishing Privacy Impact Assessments (PIA). The following guidance from DoD directs all DoD components to conduct reviews of how privacy issues are considered when purchasing or creating new Information Technology (IT) systems or when initiating new electronic collections of information in personally identifiable form. A PIA addresses privacy factors for all new or significantly altered Information Technology (IT systems or projects that collect, maintain, or disseminate personal information from or about members of the public - excluding information on DoD personnel). The OMB government-wide guidance directs all Federal agencies, including the Department of Defense, to conduct PIAs on a slightly broader category of individuals, i.e., including contractors. Therefore, the DISA guidance mirrors the OMB government-wide guidance and adheres to this standard.
PRIVACY IMPACT ASSESSMENT GUIDENCE
- DISA Privacy Act System of Records Notices
- DISA Privacy Program Instruction 210-225-2
- DoD Privacy Impact Assessment Guidance
- DoD CIO Privacy Impact Assessment Web site
- OMB Privacy Impact Assessment Guidance
- DISA Approved Format for a Privacy Impact Assessment
- Privacy Impact Assessment Guidance Flowchart
- DITPR Express PIA and PA Review Process Flowchart