| NODIS Library | Organization and Administration(1000s) | Search |

NASA Ball NASA
Procedural
Requirements
NPR 1382.1A
Effective Date: July 10, 2013
Expiration Date: July 10, 2018
COMPLIANCE IS MANDATORY
Printable Format (PDF)

(NASA Only)

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer


| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL |

Chapter 2 - Privacy Leadership

2.1 Privacy Roles and Responsibilities

2.1.1 The following are overarching roles and responsibilities related to NASA's privacy program. Specific roles and responsibilities, as related to the elements of the privacy program, are referenced throughout the remainder of this NPR in their respective chapters.

2.1.1.1 NASA Headquarters, Centers, satellite and component facilities, and support service contractor sites may use internal organizational structure to fulfill the roles and responsibilities described herein, if the approach is documented in a formal policy.

2.1.2 Throughout this document, roles and responsibilities are generally listed at the highest level possible, with the assumption that specific tasks and functions may be delegated as necessary unless explicitly prohibited, (e.g., a conflict of interest or separation of duties is created).

2.1.2.1 The NASA Administrator shall:

a. Ensure the protection of PII within NASA's information and information systems.

b. Assign an SAOP.

c. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, NASA Records Retention Schedules, as appropriate.

2.1.2.2 The NASA Chief Information Officer (CIO) shall:

a. Provide guidance to the SAOP.

b. Issue NITRs to keep the NASA privacy program current with changes in federal privacy policy and guidelines, and with changes in the privacy environment, as needed.

c. Ensure that existing privacy NITRs are incorporated into future versions of this NPR and that once a NITR has been incorporated into the NPR, the NITR is canceled.

d. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.3 The SAOP shall:

a. Provide overall responsibility and accountability for ensuring NASA's implementation of privacy information protections.

b. Ensure that NASA is compliant with applicable Federal laws, regulations, policies, guidelines, and NASA privacy program requirements.

c. Develop and maintain a NASA-wide privacy program.

d. Develop NASA privacy goals and objectives.

e. Approve handbooks related to this NPR.

f. Assign a Privacy Program Manager to oversee the NASA-wide privacy program.

g. Assign a NASA Privacy Act Officer responsible for oversight of NASA's compliance with the Privacy Act.

h. Advise senior NASA officials concerning their responsibilities to protect privacy information.

i. Evaluate legislative, regulatory, and other guidelines and policies related to privacy.

j. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.4 The Center/Executive Director shall:

a. Appoint a Center Privacy Manager (CPM).

b. Support the protection and management of PII at the Center and consult with the CPM on matters pertaining to privacy.

c. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.5 The Center CIO shall:

a. Ensure that all Center information and information systems comply with the provisions of this NPR.

b. Support the protection and management of PII at the Center and consult with the CPM on matters pertaining to privacy. Support the CPM in protecting PII and/or IIF at the Center.

c. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.6 The Senior Agency Information Security Officer (SAISO) shall:

a. Provide necessary management and resources in support of the NASA-wide privacy program as established by the SAOP.

b. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.7 The NASA Privacy Program Manager shall:

a. Oversee and manage the development and implementation of policy and procedure, guidance, directives, and requirements for NASA in support of compliance with Federal laws, statutes, and Government-wide policy as directed by the SAOP.

b. Ensure that NASA complies with privacy requirements within Federal statutes, including the collection, maintenance, use, and dissemination of privacy information.

c. Develop and maintain NASA privacy policies, procedural requirements, and handbooks as directed by the SAOP.

d. Oversee and provide guidance in the implementation and the day-to-day operation of the NASA-wide privacy program as directed by the SAOP.

e. Review NASA's compliance with information privacy laws, regulations, and policies annually to validate effectiveness and ensure conformity with current Federal policies and guidance as directed by the SAOP.

f. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.8 The NASA Privacy Act Officer shall:

a. Ensure compliance with requirements of the Privacy Act.

b. Oversee, manage, and implement the Privacy Act requirements for NASA.

c. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.9 The Center Chief Information Security Officer (CISO) shall:

a. Support the CPM in protecting PII at the Center.

b. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.10 The CPM shall:

a. Serve as the Center advisor to the Center Director, Center CIO, Center CISO, and Information System Owners (ISOs) on all matters pertaining to privacy.

b. Function as the primary Center point of contact/liaison to the NASA Privacy Program Manager and NASA Privacy Act Officer.

c. Work with ISOs to review and aid in ensuring compliance with all privacy requirements, as needed.

d. Validate the proper disposition and/or sanitization process for files and records (paper, electronic, or other media formats), which contain privacy information.

e. Ensure the NASA privacy program is implemented at the Center in accordance with NASA policy.

f. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.11 The ISO shall:

a. Acquire, develop, integrate, operate, modify, maintain, and dispose of information systems containing PII in a manner consistent with Federal statutes, regulation, and NASA privacy policies.

b. Ensure compliance with Privacy Act for applications and information systems containing Privacy Act records.

c. Verify with the Contracting Officer (CO)/Contracting Officer Technical Representative (COTR) that any contract that requires the operation of an SOR on behalf of NASA includes the appropriate FAR clauses required per FAR Subpart 24.1—Protection of Individual Privacy.

d. Notify the CO when purchase requests include services covered by the Privacy Act or PRA.

e. Notify the CO when contractor services will require or include access to PII collected by or on behalf of NASA.

f. Ensure that the contract statement of work identifies this NPR as outlining the NASA-specific requirements that must be followed by the contractor.

g. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.

2.1.2.12 The NASA User shall: a. Comply with all Federal laws, statutes, Government-wide, and NASA privacy policies and procedures.

b. Protect all PII in their custody, virtual, electronic, actual, or otherwise from unauthorized disclosure, use, modification, or destruction so that the confidentiality and integrity of the information are preserved.

c. Manage and dispose of records created as a result of the requirements of this NPR in accordance with NPR 1441.1, as appropriate.



| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL |
 
| NODIS Library | Organization and Administration(1000s) | Search |

DISTRIBUTION:
NODIS


This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to Verify that this is the correct version before use: http://nodis3.gsfc.nasa.gov