![[NASA Logo]](../Images/nasaball.gif) |
NASA Procedures and Guidelines |
||||
This Document is Obsolete and Is No Longer Used.
|
|||||
|
|
|||||
|
|
||||
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL | | |||||
6.1.1 The Privacy Notice and Redress chapter relates to NASA's initiatives to ensure notice has been provided to the public and that a mechanism (i.e., policies and procedures) is in place to allow an individual to request information NASA has collected about them and, if needed, to redress or correct their information.
6.1.2 NASA Privacy Notice and Redress procedures are governed by 14 CFR 1212 and governed by ITS-HBK-1382.06, Privacy Notice and Redress.
6.2.1 Privacy Notice
NASA provides general notice to the public in a number of ways, including the publishing of PIAs, SORNs, Privacy Act Statements, and the NASA Web Privacy Policy and Important Notices ("NASA Web Privacy Policy"). PIAs, SORNS, and Privacy Act Statements are addressed in Chapter 3. All publicly facing NASA Web sites shall link to the NASA Web Privacy Policy. This includes Web sites that are operated under contract that are deemed to be maintained by the Agency and all Web sites operated on behalf of the Agency. Posting the NASA Web Privacy Policy is not required if: 1) a Web site contains no "Government information," as defined in OMB Circular A-130 (i.e., information created, collected, processed, disseminated, or disposed of by or for the Federal Government); 2) a Web site is an Agency intranet Web site accessible only by authorized NASA users (employees, contractors, consultants, fellows, and grantees); or 3) a Web site is a National Security system, as defined in 40 U.S.C. 11103, or as exempt from the definition of information technology, as defined in Section 202(i) of the e-Gov Act. In accordance with OMB Memorandum M-10-23, the NASA Web Privacy policy is required to be included on official NASA Web sites and applications hosted on third-party Web sites and applications. Specific information on privacy notice requirements is governed by ITS-HBK-1382.06, Privacy Notice and Redress.
6.2.1.1 The NASA CIO shall:
a. Ensure the NASA Web Privacy Policy is posted (or linked to) all public facing NASA Web sites.
b. Ensure the NASA Web Privacy Policy is posted (or linked to) on official NASA Web sites and applications hosted on third-party Web sites and applications.
c. Make the NASA Web Privacy Policy available through the NASA Office of the CIO (OCIO) Web site.
d. Ensure that the NASA Web Privacy Policy is translated into a standardized machine-readable format.
6.2.1.2 The SAOP shall:
a. Ensure the NASA Web Privacy Policy:
(1) Includes description of the information being collected.
(2) Includes the purpose for the collection.
(3) Includes the official use of, or need for, the collected information.
(4) Specifies what information NASA collects automatically (e.g., user's internet protocol (IP) address, location and time of visit) and identifies the use for which it is collected (e.g., site management or security purposes).
(5) Informs visitors as to whether their provision of the requested information is voluntary.
(6) Informs visitors on how to grant consent for the use of voluntarily provided information.
(7) Informs visitors on how to grant consent for NASA to utilize the information that the Web site collects for a use other than statutorily mandated or authorized routine uses under the Privacy Act.
(8) Notifies visitors of their rights under the Privacy Act for SOR.
(9) Incorporates information to meet the requirements of the COPPA, where appropriate.
(10) Includes information on the redress mechanism.
(11) Notifies visitors as to how the Agency handles unsolicited e-mail, including the fact that the sender's privacy is not guaranteed.
b. Disclose, in the applicable NASA Web Privacy Policy, a third party's involvement in Agency applications when they are embedded within a NASA Web site.
6.2.1.3 The Center CIO shall:
a. Examine and monitor the third party's privacy policy when the Center uses a third-party Web site or application to evaluate risk and determine whether its use is appropriate for NASA.
b. Ensure the NASA Web Privacy Policy is incorporated into all Center public-facing NASA Web sites.
6.2.1.4 The Privacy Program Manager shall review the NASA Web Privacy Policy to ensure compliance with this NPR and Federal requirements, and recommend updates, as appropriate.
6.2.1.5 The CPM shall assist the Center CIO in ensuring the NASA Web Privacy Policy is incorporated into all Center public facing NASA Web sites.
6.2.1.6 The ISO shall:
a. Ensure that privacy policies clearly and concisely inform visitors of the collection of PII.
b. Ensure that Privacy Act notification is provided to anyone entering an information system containing Privacy Act records.
c. Incorporate the NASA Web Privacy Policy into public-facing NASA Web sites.
6.2.2 Web Measurement and Customization Technology Use and Notice.
Web measurement and customization technologies are used "... to remember a user's online interactions with a Web site or online application in order to conduct measurement and analysis of usage or to customize the user's experience" per OMB Memorandum M-10-22. The use of this technology is permitted to improve NASA's online services; however, the use and notice requirements as outlined by OMB and NASA requirements shall first be satisfied. Specific information on when and how these technologies may be used at NASA is governed by ITS-HBK-1382.06, Privacy Notice and Redress.
6.2.2.1 The SAOP shall:
a. Ensure the NASA Privacy Policy describes the use of third-party Web sites and applications, as outlined by OMB.
b. Approve waivers for Web measurement and customization technology that collects PII prior to use of that technology, as defined in ITS-HBK-1382.06, and annually thereafter.
6.2.2.2 The Center CIO shall approve any Web measurement and customization technology use that does not collect PII prior to use of that technology, as defined in ITS-HBK-1382.06, and annually thereafter.
6.2.2.3 The NASA Privacy Program Manager shall advise the SAOP on Web Measurement and Customization Technology use at NASA.
6.2.2.4 The CPM shall advise the ISO on Web Measurement and Customization Technology use and requirements.
6.2.2.5 The ISO shall:
a. Ensure Web Measurement and Customization Technology use is compliant with requirements outlined in ITS-HBK-1382.06.
b. Ensure that the Web site utilizing approved Web Measurement and Customization Technology provides clear and conspicuous notice concerning the use of the technology and includes:
(1) The nature of the information collected.
(2) The purpose and use of the information.
(3) Whether, and to whom, the information will be disclosed.
(4) What privacy safeguards are applied to the information collected.
(5) Consequences to the visitor, or NASA user, of opting out.
c. Seek a waiver from the SAOP to use Web Measurement and Customization Technology when required, as described in ITS-HBK-1382.06.
6.2.3 COPPA Notice.
NASA Web sites that target children and collect PII from children under age 13 are required to provide conspicuous notice of the information collection practices, verifiable parental consent, and access, as defined by COPPA. Specific information on COPPA Notice requirements is governed by ITS-HBK-1382.06, Privacy Notice and Redress.
6.2.3.1 The Privacy Program Manager shall maintain Agency guidance for compliance with COPPA.
6.2.3.2 The ISO shall:
a. Ensure compliance with COPPA for Web sites intended to be used by, or targeted to, children under the age of 13 that collect PII.
b. Ensure that notice is provided concerning what information is being collected from children by the operator, how the information will be used, and the operator's disclosure practices.
c. Ensure verifiable parental approval is obtained for the collection, use, or disclosure of information from children.
d. Provide a process for parental review of information collected from the child.
e. Provide an opportunity for parental refusal to permit the operator's future use of the information or future collection of information.
f. Provide a means for the parent to obtain the personal information collected from the child.
6.2.4 Privacy Complaints
NASA is required to provide a mechanism for receiving and managing complaints from the public and from NASA users. Specific information on the privacy complaints process is governed by ITS-HBK-1382.06, Privacy Notice and Redress.
6.2.4.1 The SAOP shall:
a. Develop policies and procedures for managing privacy complaints and inquiries.
b. Establish a complaint process, which includes the mechanism for filing a complaint.
c. Ensure that complaints are recorded, tracked, and addressed.
6.2.4.2 The NASA Privacy Program Manager shall work with the SAOP to record, track, and address privacy complaints.
6.2.4.3 The CPM shall:
a. Receive and address Center-level privacy complaints, as appropriate.
b. Report Center-level privacy complaints to the NASA Privacy Program Manager via the process defined in ITS-HBK-1382.06.
6.2.4.4 The ISO shall:
a. Receive and address privacy complaints associated with the application, information system, or Web site, if appropriate.
b. Report application, information system, or Web site privacy complaints to the CPM.
6.2.5 Privacy Redress and Privacy Act Information Requests.
NASA shall provide a mechanism for redress and remedy from misuse or mishandling of PII and for correcting inaccuracies. Specifically, NASA shall provide the public and the NASA user with the opportunity to amend or correct their PII. Specific information on the redress process is governed by ITS-HBK-1382.06, Privacy Notice and Redress. Additionally, NASA shall respond to Privacy Act information requests in accordance with 14 C.F.R. 1212.
6.2.5.1 The SAOP shall:
a. Develop policies and procedures for redressing misuse or mishandling of PII and for correcting inaccuracies. These policies shall:
(1) Be in plain language and easy to read and understand.
(2) Explain the right of redress.
(3) Explain the process for complaining, seeking redress, and/or appealing adverse decisions.
(4) Provide a general timeline for the redress process.
(5) Identify the privacy policy related to PII being collected, processed, or maintained.
b. Permit individual access to the Privacy Act SOR in order to amend those Privacy Act records, as permitted in accordance with 14 C.F.R 1212.
6.2.5.2 The NASA Privacy Program Manager shall assist the SAOP in redressing PII issues.
6.2.5.3 The Privacy Act Officer shall process Privacy Act record access requests from an individual seeking access to their individual NASA maintained record in accordance with 14 C.F.R 1212 and the Privacy Act.
6.2.5.4 The CPM shall ensure Privacy Act record access requests are forwarded to the appropriate System Manager for processing in accordance with 14 C.F.R. 1212.
6.2.5.5 The System Manager shall process Privacy Act record access requests from an individual seeking access to their individual NASA maintained record in accordance with 14 C.F.R 1212 and the Privacy Act.
6.2.5.6 The Freedom of Information Act (FOIA) Officer shall process Privacy Act record access requests from an individual seeking access to their individual NASA maintained record in accordance with 14 C.F.R 1212 and the Privacy Act.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL | |
| | NODIS Library | Organization and Administration(1000s) | Search | |