Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer

Appendix A. Definitions

Breach. Per OMB M-17-12 is a type of incident resulting in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.

• An incident is an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

• An incident is any adverse event or situation associated with any information collection containing PII that poses a threat to integrity, availability, or confidentiality. An incident is only confirmed as a breach when PII is actually exposed to an unauthorized recipient. An incident may result in or stem from any one of the following: a failure of security controls; an attempted or actual compromise of information; and/or waste, fraud, abuse, loss, or damage of government property or information. Refer to ITS-HBK-1382.05 for specific information on privacy breach.

Incident Response Assessment (IRAs). An Incident Response Assessment provides the capability to conduct incident response and red team assessments to evaluate NASA's cybersecurity and privacy incident response readiness and effectiveness. All assessments will be conducted in accordance with United States Computer Emergency Readiness Team (US-CERT) guidance and regulations. At NASA, participation in either in an actual or mock breach response will qualify as participating in an IRA.

Information in Identifiable Form (IIF). In Section 208(d) of 44 U.S.C. § 3601, IIF is defined as "... any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means."

• OMB M-03-22,defines IIF as "... information in an IT system or online collection: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, e-mail address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, (i.e., indirect identification). Refer to ITS-HBK-1382.03-01 for additional information on IIF.

Master Privacy Information Inventory (MPII). The inventory of any information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII to allow the agency to regularly review its PII and ensure, to the extent reasonably practicable, that such PII is accurate, relevant, timely, and complete; and to allow the agency to reduce its PII to the minimum necessary for the proper performance of authorized agency functions.

Member of the Public. Refer to ITS-HBK-1382.03-01for the distinction of member of the public as it pertains to 44 U.S.C. § 3604 and 44 U.S.C. § 3501.

NASA User. Any explicitly authorized patron of a NASA information system.

Non-Sensitive Personally Identifiable Information (PII). At NASA PII is further grouped into sensitive and non-sensitive PII. Non-sensitive PII generally is information that is available in public sources the disclosure of which cannot reasonably be expected to result in personal harm. NASA will protect any information it maintains or collects in accordance with appropriate policy. Examples of non-sensitive PII include name, work e-mail, work phone number, and work address. However, these elements, when combined with sensitive PII may then become sensitive PII.

Personally Identifiable Information (PII). According to OMB M-17-12, the term PII "refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual."

• In accordance with OMB M-10-23, "... [t]he definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available in any medium and from any source - that, when combined with other available information, could be used to identify an individual."

• For purposes of NASA policy, sensitive PII excludes personal information collected and or maintained by NASA employees and contractors for personal rather than NASA business purposes, as allowed under NPD 2540. Acceptable Use of Government Furnished Information Technology Equipment, Services, and Resources. Examples of such excluded data include contact information for family, relatives, and doctors. Refer to ITS-HBK-1382.03-01for additional information on PII.

Privacy Act Record. The Privacy Act defines a "record" as any individually identifiable set of information that an agency might maintain about a person. Such records may include a wide variety of personal information including, but not limited to, information about education, financial transactions, medical history, criminal history, or employment history.

Privacy Act System of Records (SOR). A group of records from which information is retrieved by the name of an individual, or by any number, symbol, or other unique identifier assigned to that individual.

Privacy Impact Assessment (PIA). In accordance with OMB M-03-22, a PIA "... is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks." Refer to ITS-HBK-1382.03-01for additional information on PIAs.

Sensitive PII. A subset of PII that, if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some forms of PII are sensitive as stand-alone elements.

• Examples of stand-alone PII include Social Security Numbers (SSN), driver's license or state identification number; Alien Registration Numbers; financial account number; and biometric identifiers such as fingerprint, voiceprint, or iris scan.

• Additional examples of SPII include any groupings of information that contain an individual's name or other unique identifier plus one or more of the following elements:

- Truncated SSN (such as last four digits)

- Date of birth (month, day, and year)

- Citizenship or immigration status

- Ethnic or religious affiliation

- Sexual orientation

- Criminal history

- Medical information

- System authentication information such as mother's maiden name, account passwords, or personal identification numbers.

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer

Appendix A. Definitions

DISTRIBUTION: NODIS

DISTRIBUTION:
NODIS