| NODIS Library | Organization and Administration(1000s) | Search |

NPR 1382.1A
Effective Date: July 10, 2013
Expiration Date: November 30, 2021
Printable Format (PDF)

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL |

Chapter 1 - Privacy Management

1.1 Overview

1.1.1 This NPR establishes the privacy requirements and responsibilities for NASA, relative to the policy set forth in NPD 1382.17, NASA Privacy Policy. This document is intended to provide a framework for privacy program management and serves as the mechanism for the authorization of more in-depth documents (e.g., handbooks and memos).

1.1.2 This NPR is organized into eleven major sections: (1) Preface; (2) Management; (3) Leadership; (4) Risk Management and Compliance; (5) Information Security; (6) Incident Response and Management; (7) Notice and Redress; (8) Awareness and Training; (9) Accountability; (10) Rules of Behavior and Consequences; and (11) Appendices. Individual roles and responsibilities are included in sections 1-10, as appropriate. See Appendix C, Responsibilities Cross-Walk for a breakdown of applicable sections.

1.1.3 NASA is committed to protecting the privacy of information of individuals from whom it collects, maintains, uses, and/or disseminates such information. Laws, regulations, and guidance documents provide various terms and definitions used to describe personal information. These include: personally identifiable information or PII, privacy information, Privacy Act records, and information in identifiable form (IIF).

(a) In this NPR, sensitive PII does not include official business contact information (e.g., work e-mail address, office location, and/or office telephone number) for NASA employees and contractors unless this information is assessed as sensitive PII due to use and context. Sensitive PII is a subset of PII, which, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

1.1.4 The NASA SAOP establishes and maintains the Agency's privacy program and its overall objectives and priorities. Privacy goals and objectives are identified and governed by ITS-HBK-1382.02, Privacy Goals and Objectives.

1.2 Governing Statutes Overview

1.2.1 This section provides a summary of each of the applicable governing statutes and their basic privacy-related requirements. The specifics of the related requirements and responsibilities are elaborated in subsequent chapters, as appropriate.

1.2.2 The Federal statutes that impact NASA's collection and management of PII include the Privacy Act, COPPA, e-Gov Act, FISMA, and the PRA. Privacy Act of 1974 - The Privacy Act sets forth extensive requirements for the management of personal information contained in a system of records (SOR), where such information is routinely retrieved by a name or personal identifier unique to the individual. Children's Online Privacy Protection Act of 1998 - COPPA regulates NASA's operation of Web sites or online services directed to children under age 13 when the Web site or service collects personal information from children. E-Government Act of 2002 - The e-Gov Act reinforces existing statutory privacy provisions and adds new requirements to ensure sufficient protections for the privacy of personal information as agencies implement electronic government.

(a) Title III of the e-Gov Act, or FISMA, provides for development and maintenance of minimum controls required to protect Federal information and information systems (including privacy information). The e-Gov Act also authorizes OMB and NIST to define "minimum controls required."

(b) Section 208 of the e-Gov Act requires NASA to complete Privacy Impact Assessments (PIAs) for new or modified information systems that collect, maintain, or disseminate IIF from or about members of the public. Paperwork Reduction Act of 1995 - The PRA regulates the burden that agencies place on members of the public when collecting information from them. OMB authorization shall be obtained when NASA collects information from ten or more members of the public through standardized fields, whether via survey (in paper or electronic form), Web-enabled forms, or any method of information provisioning, regardless of format or whether the provisioning of the information is voluntary. For this NPR, the PRA is applicable only when NASA seeks collection of IIF from members of the public.

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL |
| NODIS Library | Organization and Administration(1000s) | Search |


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.