NASA Procedural Requirements

NPR 1382.1B Effective Date: July 26, 2022 Expiration Date: July 26, 2027

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer

Appendix A. Definitions

Information in Identifiable Form (IIF). In Section 208(d) of 44 U.S.C. § 3601, IIF is defined as “... any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”

In accordance with OMB M-03-22, IIF “... is information in an IT system or online collection: (i) that directly identifies an individual (e.g. name, address, social security number or other identifying number or code, telephone number, e-mail address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, (i.e., indirect identification). (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).”

Refer to ITS-HBK-1382.03-01for additional information on IIF.

NASA User. Any explicitly authorized patron of a NASA information system.

Non-Sensitive Personally Identifiable Information (PII). Non-Sensitive PII is information that is available in public sources the disclosure of which cannot reasonably be expected to result in personal harm.

Member of the Public. Refer to ITS-HBK-1382.03-01for the distinction of member of the public as it pertains to 44 U.S.C. § 3604 and 44 U.S.C. § 3501.

Personally Identifiable Information (PII). OMB M-07-16, PII “... refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

In accordance with OMB M-10-23, “... [t]he definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available - in any medium and from any source - that, when combined with other available information, could be used to identify an individual.”

For purposes of NASA policy, sensitive PII excludes personal information collected and or maintained by NASA employees and contractors for personal rather than NASA business purposes, as allowed under NID 2540.138. Examples of such excluded data include contact information for family, relatives, and doctors.

Refer to ITS-HBK-1382.03-01for additional information on PII.

Privacy Act Information. Information that is maintained in a “system of records,” which the Act defines as a group of agency-controlled records from which information is retrieved by a unique identifier, such as an individual’s name, date of birth, social security number, or employee identification number.

Privacy Act Record. A record that is part of a Privacy Act System of Records.

Privacy Act System of Records (SOR). A group of records from which information is retrieved by the name of an individual, or by any number, symbol, or other unique identifier assigned to that individual.

Privacy Breach. A privacy breach is also known as an “incident.” An incident is any adverse event or situation associated with any information collection containing PII that poses a threat to integrity, availability, or confidentiality. An incident may result in or stem from any one of the following: a failure of security controls; an attempted or actual compromise of information; and/or waste, fraud, abuse, loss, or damage of government property or information. Refer to ITS-HBK-1382.05 for specific information on privacy breach.

Privacy Impact Assessment (PIA). In accordance with OMB M-03-22, a PIA “... is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.”

Refer to ITS-HBK-1382.03-01for additional information on PIAs.

Record. The Privacy Act defines a “record” as any individually identifiable set of information that an agency might maintain about a person. Such records may include a wide variety of personal information including, but not limited to, information about education, financial transactions, medical history, criminal history, or employment history.

Sensitive Personally Identifiable Information. This definition is related to incident reporting only as outlined in this NPR. All PII, regardless of whether it is sensitive or non-sensitive, is required to be protected as outlined in this NPR and as defined in OMB M-07-16.

Sensitive PII is a combination of PII elements, which if lost, compromised, or disclosed without authorization could be used to inflict substantial harm, embarrassment, inconvenience, or unfairness to an individual.

Refer to ITS-HBK-1382.03-01 for additional information on the distinction of sensitive versus non-sensitive PII.

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.