Effective Date: August 10, 2007
Expiration Date: June 28, 2013
|| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | AppendixI | ALL ||
Information in this appendix does not duplicate, but expands on, SOR requirements contained in Chapter 5.
Systems that only collect NASA employees' or contractors' names and work-related information (such as work e-mail address, office location, and office telephone number) do not qualify as Privacy Act SORs, although the data may be retrieved by individuals' names, because the PII is not personal information to be protected.
H.2.1 The system manager, with the assistance of the Center PAM, will draft a Federal Register notice of the system for the NASA CIO's signature. The Center PAM will coordinate Center legal review for Center-specific systems and submit the notice to the Privacy Act Officer for Agency-level review. An annotated SORN format may be found on the NASA Privacy Web site.
H.2.2 SORN Content. The first few fields of the SORN, through "Supplementary Information," constitute the notice preamble and must be prepared in accordance with the Federal Register Document Drafting Handbook, 1998 edition. The remaining fields specifically describe the SOR and must include:
a. The name and location of the system. The name describes the records maintained in the system or the individuals on whom the records are maintained. The system location specifically identifies each address or location at which records are physically maintained; for a system with many locations, the list of addresses and locations may be included by reference to the NASA System of Record Notice, Appendix B, as published with existing NASA SORNs.
b. The categories of individuals on whom records are maintained in the system. Categories of individuals covered by the system must be identified. The identification must be specific, and it must be stated in a manner that is clearly understood by the general public. Existing system notices may serve as examples of how to describe categories of individuals.
c. The categories of records maintained in the system. Each type of record or information maintained in the system must be identified as specifically as possible. This must be an all-inclusive list, and the record description must be clear and understandable to the general public. Acronyms, abbreviations, and references to public laws and regulations are to be avoided. For records containing many data fields, efforts must be made to list larger groupings that comprehensively incorporate the nature of all of the smaller detailed fields maintained. For example, "U.S. visitor/travel document numbers" may cover both passport and visa numbers, while "employment information" may cover employers' names and addresses.
d. The authority for maintenance of the system. The specific statutory provision(s) that authorize(s) the solicitation and maintenance of the information in the SOR must be identified. The authority must be statutory, not regulatory; that is, it must cite the United States Code or public law rather than the Code of Federal Regulations or Agency policies.
e. Each routine use of records contained in the system, including the categories of users and the purpose of such use. These are brief, concise, and clear statements of the disclosures of the information that may be made from the SOR. The term "routine use" strictly means the disclosure of a record or information from the system to entities outside the Agency for a purpose compatible with the purpose for which it was collected. The statement of a routine use must identify, as specifically as possible, the information that may be disclosed under routine use, to whom the record(s) or information may be given, and the purpose(s) or use(s) for which information may be disclosed. Routine use statements will be numbered sequentially. (Note: This paragraph is the most critical portion of the notice. If there is no routine use statement or the statement is not written precisely, NASA may not be able to disclose information from the SOR when it wishes to initiate a disclosure or when such disclosure is requested by a third party.) The statement must specify, by reference to the numbers from NASA SORN, Appendix B, any "standard routine uses" that apply to the system and attach it to this document.
f. Policies and practices regarding the storage, retrievability, access controls, and retention and disposal of the records. Each of these items must be discussed separately, each with its own paragraph heading.
(1) For policies and practices regarding storage, the medium and/or manner in which the records are maintained should be described, e.g., on microfilm, on magnetic tape, on a server, on a CD, or in paper file folders. If this varies by location, such as at different Field Centers, the storage at each location should be explained.
(2) For policies and practices regarding retrievability, the data fields by which records are indexed and routinely retrieved should be explained.
(3) For policies and practices on access controls, measures taken to prevent unauthorized access and disclosure of records, e.g., physical security, personnel screening, or technical safeguards, should be briefly described. Safeguards from natural disasters (e.g., tornadoes) should be included, along with backup and offsite storage and operations to be used if the site is damaged or destroyed, as well as the estimated time to return the system to operation. A statement such as "standard security procedures will be followed" is insufficient. Citing existence of an approved IT Security Plan or mentioning that "analyses of the system were conducted as required by FIPS 199 and applicable security con-trols implemented in accordance with FIPS 853" may serve as additional evidence that proper security measures were evaluated and implemented for electronic systems.
(4) For policies and practices regarding the retention and disposal of records, the approved disposition authority under which the records are retained and archived or disposed of should be provided. This must be either a specific NRRS item such as "Schedule 1, item 35" or a GRS item published by the National Archives such as "GRS 14, item 24(a)." The NASA Privacy Act Officer will not concur with the SORN for publication unless either an approved retention schedule is cited or a draft new schedule item is submitted with the SORN. System managers should coordinate with their Center Records Manager to identify a proper retention schedule item or to develop a schedule item for submission to the NASA Records Officer. The records may not be destroyed until NASA obtains an approved records disposition schedule from the Archivist of the United States.
g. System Manager(s). The title, office symbol, and address of the Agency official responsible for the policies and practices governing the SOR must be provided. Individual names are not included to ensure that the SORN does not become outdated due to NASA personnel changes. If the system of records is maintained in physically separate locations, other managers are to be listed as subsystem managers by their Center position titles and their addresses provided. Locations and addresses may be listed by reference to SORN Appendix B, which is the appendix for NASA's comprehensive SOR Notices as published in the Federal Register.
h. Agency procedures whereby an individual may request information as to whether the system contains records pertaining to them. The address(es) must be provided for the NASA office(s) to which inquiries are to be sent and the address(es) of the location(s) at which the individual may present a request as to whether a system contains records pertaining to him/her. Include any identifying information an individual is required to provide so that the Agency may determine whether the system contains a record about that individual.
i. Agency procedures whereby an individual can request access to any record contained in the SOR that pertains to him/her and learn how he or she can contest its content. The name(s) and address(es) must be provided for the NASA office(s) to which the individual may write to obtain information from his/her record. This information is for the individual who already knows that a system contains information about him/her.
j. The categories of sources of records in the system. The source of the records or information in the system (e.g., whether the information comes directly from individuals themselves, from other SORs, or from some other entity or Government unit) must be described as specifically as possible.
H.2.3 Once concurrence has been received from the PAM and the Office of the Chief Counsel, the local PAM will submit the notice to the Privacy Act Officer for processing.
H.2.4 The Privacy Act Officer will review the draft notice and coordinate review by the Office of the General Counsel and the NASA CIO for signature. The signed SORN will be provided by the NASA OCIO to the NASA Federal Register Liaison Officer for submittal to the Federal Register for publication.
As discussed in Chapter 5, system managers must ensure that individuals are presented with a Privacy Act Statement meeting the requirements outlined in 14 CFR 1212.602. Table H.1 addresses how to provide a Privacy Act statement under different collection circumstances.
Table H.1 Privacy Act Statement Delivery Requirements
|Examples||NASA Procedures to Provide a Privacy Notice|
|In person||• Interviews||• Content of the notice must meet the requirements specified in this chapter.
• Provide the notice in writing or orally. If notice is given orally, provide the notice before collecting data and include a note with the maintained information that notice was provided orally.
|• Clinic forms |
• Printed forms requiring signatures
|* Content of the notice must meet the requirements specified in this chapter.
* Place the notice on the form near where data are collected or provide a separate Privacy Act Statement before collecting the data.
• If a caller requests additional information, the call center agent will mail the caller a privacy notice via U.S. mail.
|Online||• Any Web-based form||• For employees or contractors, a privacy notice that meets the content requirements specified in this chapter must be available on screen near where data are collected.
|• If data may be collected as a result of an e-mail interaction and placed in an SOR, provide a privacy notice meeting the content requirements specified in this chapter.
• Place the notice in the same e-mail that solicits data or include the notice in response to e-mails from the customer, employee, or other individual.
| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | AppendixI | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||