NASA Procedures and Guidelines
This Document is Obsolete and Is No Longer Used. Check the NODIS Library to access the current version: http://nodis3.gsfc.nasa.gov
NPR 1382.1A Eff. Date: July 10, 2013 Cancellation Date:	NASA Privacy Procedural Requirements
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL |

Chapter 8 - Privacy Accountability

8.1 Privacy Accountability Overview

8.1.1 The Privacy Accountability chapter relates to NASA's initiatives to ensure accountability as related to compliance with applicable privacy protection requirements. This chapter includes requirements that ensure NASA's compliance with established privacy controls and includes internal reporting requirements and external reporting requirements.

8.1.2 NASA Privacy Accountability procedures are governed by ITS-HBK-1382.08, Privacy Accountability.

8.2 Privacy Accountability Policy

8.2.1 Internal Reporting Requirements.

a. Internal reporting requirements exist within NASA to internally track compliance with privacy laws, regulations, and NASA's policies and procedures. Internal reporting requirements include metrics, data calls, and status reports. The results of internal reporting requirements are used to create metrics that allow the SAOP and the NASA Privacy Program Manager to evaluate the goals and objectives of the NASA privacy program.

b. NASA Privacy Accountability procedures are governed by ITS-HBK-1382.08, Privacy Accountability.

8.2.1.1 The SAOP shall update NASA senior management on the status of privacy goals and objectives.

8.2.1.2 The NASA Privacy Program Manager shall update the SAOP on relevant privacy metrics.

8.2.1.3 The CPM shall:

a. Update the NASA Privacy Program Manager, Center CIO, and Center CISO on the status of the privacy requirements at the Center.

b. Respond to various privacy related mandates and requests for information from the NASA Privacy Program Manager and NASA Privacy Act Officer.

c. Report any Privacy (PII) or Privacy Act violations, as required by NASA policy and procedures.

d. Track planned, in progress, and completed corrective actions taken to remedy deficiencies identified in compliance reviews.

e. Ensure the NASA Master Privacy Information Inventory (MPII) accurately reflects all electronic and non-electronic collections of information for their respective Center and is up to date at all times.

f. Report all significant privacy related activities (e.g., BRT activities and privacy complaints).

8.2.1.4 The ISO shall:

a. Report to the CPM on the status of compliance with NASA Privacy requirements.

b. Control disclosures from their SOR and maintain accountings of all disclosures of information in accordance with 14 CFR 1212.203.

8.2.1.5 The NASA user shall report any suspected or confirmed unauthorized disclosures of PII in any form to the SOC in accordance with Agency ITS incident reporting procedures.

8.2.2 External Reporting Requirements.

a. NASA has a number of external reporting requirements, including those required by OMB, Department of Homeland Security (DHS), FISMA, OIG, Government Accountability Office (GAO), and Congressional inquiries. For example, NASA is required to report annually to OMB or DHS under FISMA on privacy-related issues, including metrics on PIAs and SORNs.

b. NASA Privacy Accountability procedures are governed ITS-HBK-1382.08, Privacy Accountability.

8.2.2.1 The SAOP shall:

a. Ensure external reporting requirements are met.

b. Respond to external reporting requirements, as appropriate.

c. Approve NASA's privacy reports required by OMB and FISMA.

d. Develop a privacy reviews schedule.

e. Ensure that Privacy Act reviews are conducted, as prescribed by the Privacy Act and OMB A-130 and summarized in ITS-HBK-1382.08, Privacy Accountability.

8.2.2.2 The NASA Privacy Program Manager shall:

a. Produce and provide NASA's privacy reports required by OMB and FISMA to the NASA SAISO and the NASA SAOP.

b. Ensure that privacy reviews are conducted in accordance with the schedule outlined in ITS-HBK-1382.08, Privacy Accountability.

8.2.2.3 The NASA Privacy Act Officer shall coordinate and conduct Privacy Act and OMB A-130 reviews in accordance with the schedule outlined in ITS-HBK-1382.08, Privacy Accountability.

8.2.2.4 The CPM shall:

a. Coordinate FISMA privacy reporting data collection efforts for their Center and report to the NASA Privacy Program Manager, Center CIO, and Center CISO.

b. Coordinate regular Privacy Act reviews in accordance with the Privacy Act and OMB A-130.

DISTRIBUTION:
NODIS