Effective Date: August 10, 2007
Expiration Date: June 28, 2013
|| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | AppendixI | ALL ||
All PII, regardless of form, must be protected from unauthorized access or unauthorized disclosure throughout its life cycle as SBU information in accordance with NPR 1600.1. Required actions must be taken for information systems containing PII and the management of PII at different phases in the life cycle of information systems and the information itself.
The type of information to be collected/maintained and how it is managed dictate the requirements for information systems and Web sites in planning and development that must be met prior to system implementation.
a. If an information system will collect/maintain PII, it or the system that hosts such an application must be assigned a FIPS 199 security categorization of at least Moderate, and corresponding security controls implemented.
b. If information is collected from the public through the use of standard fields, whether voluntarily or not and regardless of collection media, the collection process must be assessed further by the NASA PRA Officer in the NASA OCIO for PRA applicability. If an OMB authorization as a PRA information collection (IC) is required, steps must be taken to obtain OMB authorization.
c. If the system will constitute a Privacy Act SOR, a SORN describing the system must be published in the Federal Register.
d. If any information is to be collected through a Web site using persistent cookies, there must be a compelling need to do so and a waiver for persistent cookie use obtained from the NASA CIO.
e. System/Web site content must be evaluated using the IPTA available through the NASA OCIO Web site.
f. If IIF on members of the public is to be collected/maintained, or if any IIF is to be collected/maintained and the system requires an EA review, the full PIA will be conducted.
NASA may only collect/maintain information about individuals that is relevant and necessary to accomplish a purpose of the Agency required by statute or Executive Order of the President.
E.2.1 Collection methods used by NASA systems or applications to obtain information, whether electronically or otherwise, include forms (electronic and hard copy), interviews or telephone conversations, surveys/questionnaires, inputs from other Government systems or other sources, persistent tracking technology on Web sites, Web-enabled forms, or e-mail links.
E.2.2 NASA collects and/or maintains information on civil servants, contractors and partners, and members of the public, including children or employee families. In all cases, at the point of collection of information on individuals, notification of the purpose and intended use of the information must be presented to the person providing the information. Specifics regarding the notification, elaborated in Chapters 4 and 5, vary slightly depending on which statutes apply as indicated below:
a. If any PII is collected via a Web site from members of the public, whether through persistent cookies or not, notification requirements of the E-Gov Act apply.
b. If Web sites target and collect PII from children under age 13, COPPA notices and processes are required.
c. Regardless of how or on whom information about individuals is collected/maintained, if maintained data are or will be retrieved by name or other unique personal identifier, Privacy Act notification requirements apply.
a. Owners of systems collecting/maintaining PII must ensure the maintenance of current, accurate, relevant, and complete information and its protection against unauthorized alteration, access, use, or disclosure.
b. Protection of information must be assured through risk management, system security procedures, including maintenance of system security controls corresponding to their assigned security categories, and IT Security C&A in accordance with NPR 2810.1.
c. Employees must report any suspected or confirmed IT security incident involving PII, whether in physical (non-electronic) or electronic form, immediately upon discovery in accordance with NPR 2810.1.
E.4.1 Owners of systems that are collecting and/or maintaining PII must describe, through the following mechanisms as appropriate, the ways in which the information is used by the Agency:
a. SOR Notices published in the Federal Register.
c. PRA IC authorization requests.
d. Notifications to individuals on whom information is being collected/maintained.
e. Web site policy statements.
E.4.2 Owners of systems containing PII must ensure that access is limited to those Agency employees who have a need for the information in the performance of their duties or, in the case of Privacy Act records, to disclosures outside the Agency (even to contractors) pursuant to a routine use published in the Federal Register.
E.4.3 Users with access to information in NASA Privacy Act SORs must be:
a. Notified at each entry into a system (when electronic) that it contains PII that must be protected and not disseminated without authorization.
b. Trained as to their responsibilities regarding access to, as well as use and protection of, the PII.
E.5.1 Data dissemination, sharing, or any sort of disclosure of IIF inside or outside the Agency must be limited to:
a. The purposes for which the information was collected.
b. Routine uses described in Privacy Act SORs.
c. NASA employees who require the information to accomplish their jobs.
d. Compliance with the written request or consent of the individual on whom the data are maintained.
E.5.2 Individuals' names and addresses may not be sold or rented unless such action is specifically authorized by law.
E.5.3 When transmitting privacy data via e-mail messages, senders must encrypt the messages prior to transmission, in accordance with NPR 1600.1.
E.5.4 When transmitting, in hard copy format, privacy data that are subject to the Privacy Act, the material should be covered with NF 1534, "Privacy Act Cover Sheet." When transmitting any other hard copy privacy data, they should be covered with NF 1686, "Sensitive But Unclassified (SBU)." Both should be handled as SBU information in accordance with NPR 1600.1. Any hard copy material containing PII must include a watermark, "NASA Privacy Information, Protect Accordingly," on each individual page.
When system information qualifies as Federal records as defined in the NRRS, system owners must ensure that records are managed and disposed of in accordance with the NRRS or GRS.
| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | AppendixI | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||