| NODIS Library | Organization and Administration(1000s) | Search |

NPR 1382.1B
Effective Date: July 26, 2022
Expiration Date: July 26, 2027
Printable Format (PDF)

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL |

Chapter 1 Privacy Management

1.1 Overview

1.1.1 On January 16, 2020, the NIST published the Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. The structure of Privacy Framework follows the Cybersecurity Framework.

1.1.2 NASA is committed to protecting the privacy of personal information of individuals from whom it collects, maintains, uses, and/or disseminates such information.

1.1.3 The NIST Privacy Framework establishes a basic set of activities and outcomes encapsulated in three components: the core, profiles, and implementation tiers. The core is composed of a set of functions, categories, and subcategories which work together to enable a dialogue about managing privacy risk.

a. Functions represent the highest level of categorization for privacy activities. The chapters in this directive align to the functions of the framework, which are:

(1) Identify—Activities and policies that help NASA to understand the scope of both the privacy information and the systems processing privacy information, with a goal of managing privacy risk for individuals.

(2) Govern—Requirements relating to the development and implementation of NASA governance structures to enable an understanding of NASA's risk management priorities and how the priorities are informed by privacy risk.

(3) Control—Requirements for activities to enable NASA to manage data to address privacy risks.

(4) Communicate—Requirements for activities that enable NASA to engage in dialogue about how data are processed and associated privacy risks.

(5) Protect—Requirements for activities relating to data processing safeguards.

b. Categories represent the subdivision of activities under functions.

c. Subcategories representing specific outcomes of technical and/or management activities. Privacy goals and objectives are identified and governed by NASA’s Privacy Program Plan maintained by the Chief Privacy Officer.

1.2 Roles and Responsibilities

1.2.1 This section contains overarching roles and responsibilities related to NASA's entire privacy program. Roles and responsibilities related to specific elements of the privacy program are referenced throughout the remainder of this NPR in their respective chapters. NASA Headquarters, Centers, satellite and component facilities, and support service contractor sites may use internal organizational structure to fulfill the roles and responsibilities described herein.

1.2.2 Throughout this document, roles and responsibilities are generally listed at the highest level possible, with the assumption that specific tasks and functions may be delegated unless explicitly prohibited, (e.g., a conflict of interest or separation of duties is created). The NASA Administrator shall:

a. Ensure the protection of PII within NASA's information and information systems.

b. Assign a SAOP, who maintains the Agency's privacy program and its overall objectives and priorities. The NASA CIO shall:

a. Provide guidance to the SAOP.

b. Update NPD 1382.17, NASA Privacy Policy, to ensure NASA is current with changes in Federal privacy policy. The SAOP shall:

a. Provide overall responsibility and accountability for ensuring NASA's implementation of privacy information protections.

b. Ensure that NASA is compliant with applicable Federal laws, regulations, policies, guidelines, and NASA privacy program requirements.

c. Develop and maintain a NASA-wide privacy program.

d. Develop, maintain, and monitor NASA privacy goals and objectives.

e. Approve handbooks related to this NPR.

f. Assign a Chief Privacy Officer (CPO) to oversee the NASA-wide privacy program. The Chief Privacy Officer was formerly called the Privacy Program Manager.

g. Assign a NASA Privacy Act Officer (PAO) responsible for oversight of NASA's compliance with the Privacy Act of 1974, 5 U.S.C. § 552a.

h. Advise senior NASA officials concerning their responsibilities to protect privacy information.

i. Evaluate legislative, regulatory, and other guidelines and policies related to privacy.

j. Ensure that a Privacy Threshold Analysis (PTA) is conducted for any new, or significantly changed, applications, w websites, information systems (including third party applications and information systems and collections of information provided for by external service providers who are collecting information on behalf of NASA), and all non-electronic information collections to determine whether there are any privacy implications or other regulatory compliance requirements. Guidance for conducting PTAs is in ITS-HBK-1382.03-01, Privacy- Collections, PIAs, and SORNs.

k. Ensure when initial assessments via the PTA process calls for the completion of a full Privacy Impact Assessment (PIA), one will be initiated and completed, in accordance with ITS-HBK-1382.03-01, prior to actively collecting any information.

l. Reviews and approves PIAs. The Senior Agency Information Security Officer (SAISO) shall provide necessary management and resources in support of the NASA-wide privacy program as established by the SAOP. The NASA CPO shall:

a. Oversee and manage the development and implementation of policy and procedure, guidance, directives, and requirements for NASA in support of compliance with Federal laws, statutes, and Government-wide policy as directed by the SAOP.

b. Ensure that NASA complies with privacy requirements within Federal statutes listed in this directive, including the collection, maintenance, use, and dissemination of privacy information.

c. Develop and maintain NASA privacy policies, procedural requirements, and handbooks as directed by the SAOP.

d. Establish Agency requirements and processes for conducting PTAs and PIAs for new or significantly changed applications, w websites, or information systems, and make PIAs publicly available (unless public release is otherwise prohibited).

e. Oversee and provide guidance in the implementation and the day-to-day operation of the NASA-wide privacy program as directed by the SAOP.

f. Review NASA's compliance with information privacy laws, regulations, and policies annually to validate effectiveness and ensure conformity with current Federal policies and guidance as directed by the SAOP. The NASA Privacy Act Officer shall:

a. Ensure compliance with requirements of the Privacy Act.

b. Oversee, manage, and implement the Privacy Act requirements for NASA. The Center/Executive Director shall:

a. Appoint a Center Privacy Manager (CPM).

b. Support the protection and management of PII at the Center and consult with the CPM on matters pertaining to privacy. The Center CIO shall:

a. Ensure that all Center information and information systems comply with the provisions of this NPR.

b. Support the protection and management of PII at the Center and consult with the CPM on matters pertaining to privacy.

c. Support the CPM in protecting PII and/or Information in Identifiable Form (IIF) at the Center.

d. Ensure that Information Owners (IOs), Information System Owners (ISOs), and Data Owners (DOs) assess the privacy aspects of information collections and information systems for which they are responsible and ensure all required security safeguards are implemented in accordance with current NASA policy and procedural requirements for the collection, use, maintenance, and dissemination of personal information. The Center Chief Information Security Officer (CISO) shall support the CPM in protecting PII at the Center. The CPM shall:

a. Serve as the Center advisor to the Center Director, Center CIO, Center CISO, and Information System Owners (ISOs) on all matters pertaining to privacy.

b. Function as the primary Center point of contact/liaison to the NASA CPO and NASA PAO.

c. Work with ISOs to review and aid in ensuring compliance with all privacy requirements, as needed.

d. Validate the proper disposition and/or sanitization process for files and records (paper, electronic, or other media formats), which contain privacy information.

e. Ensure the NASA privacy program is implemented at the Center in accordance with NASA policy.

f. Ensure that IOs, ISOs, and DOs perform the required information collection assessments (i.e., PTAs and PIAs) and aid in the development of any additional documentation indicated as required upon completion of the PTA (or PIA if required). (This includes SORNs, Federal Register notices, and Privacy Act Statements.)

g. Serve as their Center’s liaison for the controlled unclassified information (CUI) program unless a different liaison is identified by the Center’s leadership. Contracting Officers (COs) or Agreement Managers shall ensure that the requirements of this directive are included and in scope for all NASA contracts, agreements under 51 U.S.C. § 20101, cooperative agreements, partnership agreements, or other agreements pursuant to which privacy information (e.g., PII, PHI, PAI) is being collected, processed, stored, or transmitted. The ISO shall:

a. Acquire, develop, integrate, operate, modify, maintain, and dispose of information systems containing PII in a manner consistent with Federal statutes, regulation, and NASA privacy policies.

b. Ensure compliance with the Privacy Act for applications and information systems.

c. Verify with the CO/Contracting Officer Representative (COR) that any contract that requires the operation of a System of Records (SOR) on behalf of NASA includes the clauses required per Protection of Privacy and Freedom of Information, 48 CFR pt. 24.

d. Notify the CO when purchase requests include services covered by the Privacy Act or Paperwork Reduction Act (PRA), 44 U.S.C. § 3501 et seq.

e. Notify the CO when contractor services will require or include access to PII collected by or on behalf of NASA.

f. Verify that the contract statement of work identifies this NPR as outlining the NASA-specific requirements to be followed by the contractor. The NASA User shall:

a. Comply with all Federal laws, statutes, and NASA privacy policies and procedures in this and the referenced documents.

b. Protect all PII in the user’s custody (whether virtual, electronic, actual, or otherwise) from unauthorized disclosure, use, modification, or destruction so that the confidentiality, integrity, and availability of the information are preserved.

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL |
| NODIS Library | Organization and Administration(1000s) | Search |


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.