| NODIS Library | Organization and Administration(1000s) | Search |

NASA Ball NASA
Procedural
Requirements
NPR 1382.1B
Effective Date: July 26, 2022
Expiration Date: July 26, 2027
COMPLIANCE IS MANDATORY FOR NASA EMPLOYEES
Printable Format (PDF)

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer


| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL |

Chapter 2 Identify

2.1 Overview

2.1.1 The Identify chapter ensures NASA’s compliance with NIST requirements for the inventory and assessment of PII.

2.1.2 NASA is responsible for assessing the PII it collects and notifying individuals of what information is collected, why it is being collected, and how the information will be used.

2.1.3 In accordance with the Privacy Act, The E-Government Act of 2002, 44 U.S.C. § 3604, and OMB requirements, NASA uses compliance documentation such as PTAs, PIAs, and System of Records Notices (SORNs), which are discussed in Chapter 5. These tools assist NASA in identifying and reducing the privacy risks related to NASA’s activities, notifying the public of privacy impacts, and determining which steps to take to mitigate potential impacts to personal privacy.

2.1.4 All NASA applications, information systems, and websites are to be reviewed via the PTA process to determine whether they require a PIA.

2.1.5 NASA Privacy Risk Management and Compliance procedures are governed by ITS-HBK-1382.03-01.

2.2 Inventory

2.2.1 Overview

2.2.1.1 Inventories are essential to NASA’s understanding management of privacy risk.

2.2.1.2 A thorough understanding of the scope of NASA’s collection of PII provides visibility into scope of privacy information.

2.2.2 Procedural Requirements

2.2.2.1 The SAOP shall:

a. Ensure the establishment and maintenance of the NASA Master Privacy Information Inventory (MPII).

b. Work with the SAISO to ensure the information system inventory required by NPR 2810.1, Security of Information and Information Systems, includes information on data processing systems processing PII.

2.2.2.2 The CPM shall ensure the MPII established per section 2.2.2.1a accurately reflects all electronic and non-electronic collections of information for their respective Center and is current.

2.3 Privacy Threshold Analyses (PTA) and Privacy Impact Assessments (PIA)

2.3.1 Overview

2.3.1.1 PTAs and PIAs are part of a formal process that NASA uses to analyze how information is processed by an information system, application, or website to ensure that NASA’s handling conforms to applicable statutory, regulatory, and policy requirements for privacy information identified in this directive.

2.3.1.2 The PIA is used to determine the risks and effects of collecting, maintaining, and disseminating IIF on members of the public. NASA conducts PIAs under two circumstances:

a. In accordance with 44 U.S.C. § 3604 and NIST SP 800-53, for any new or substantially changed information system that collects, maintains, or disseminates IIF from or about members of the public, (under 44 U.S.C. § 3604, members of the public exclude Government personnel, contractors, and partners); or

b. For a new collection of ten or more members of the public in accordance with 44 U.S.C. § 3501.

2.3.1.3 A PIA describes:

a. The information to be collected.

b. The purpose of the collection (why it is collected).

c. The intended use collection.

d. With whom the information will be shared.

e. Whether the information was collected with the consent of the owner (or the owner’s parent or guardian, if needed, in accordance with Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506.

f. How the information will be secured.

g. Whether a SOR is created under the Privacy Act.

2.3.1.4 In addition, the PIA examines and documents the evaluation of protections and alternative processes for handling information to mitigate potential privacy risks.

2.3.1.5 Unless otherwise prohibited, NASA is responsible for posting the PIA publicly.

2.3.1.6 NIST SP 800-53 PL-5, Information Security Controls, is governed at NASA by ITS-HBK-2810.03, Planning, and ITS-HBK-1382.03-01.

2.3.1.7 Information on how to conduct a PTA and PIA: review, approval, publication requirements, and the relationship to 44 U.S.C. § 3501 and the Privacy Act are governed by ITS-HBK-1382.03-01.

2.3.2 Procedural Requirements

2.3.2.1 The SAOP shall:

a. Establish Agency policy, requirements, and process for conducting PTAs and/or PIAs for new or revised applications and information systems to limit the identification of individuals.

b. Assess the impact of technology on privacy and the protection of personal information.

c. Evaluate and approve or disapprove all completed PIAs.

d. Ensure that data is disposed of at the Agency level according to NRRS 1441.1, NASA Records Retention Schedules and NPR 2810.7, Controlled Unclassified Information.

2.3.2.2 The Center CIO shall ensure that a PTA, and when needed a PIA, is conducted for every application and information system, including websites.

2.3.2.2 The NASA CPO shall:

a. Implement Agency policy, requirements, and processes for conducting PTAs and PIAs for new or revised applications and information systems.

b. Ensure PIAs are thorough and meet all applicable standards.

c. Ensure that completed PIAs are made publicly available for applications and information systems, including websites, which collect and/or maintain IIF on members of the public, consistent with Federal policy, unless otherwise prohibited.

2.3.2.3 The CPM shall:

a. Assist ISOs in the completion of PTAs and, when needed, PIAs.

b. Conduct timely reviews of applications and information systems, including websites, PTAs, and PIAs to ensure the ISO has addressed adequate protection of privacy and/or Privacy Act information (PAI).

c. Ensure the ISOs update PTAs and, when needed, PIAs.

d. Conduct annual PIA reviews.

e. Ensure procedures exists to dispose of data at the Center level according to NRRS 1441.1, NPR 2810.1, and NPR 2810.7.

2.3.2.4 The ISO shall:

a. Ensure that a PTA is conducted and approved for the applications and information systems, including websites, under the ISO’s purview.

b. Ensure that a PIA is reviewed and approved for:

(1) An information system that collects, maintains, or disseminates IIF from or about members of the public; or

(2) An electronic collection of IIF for ten or more individuals, consistent with 44 U.S.C. § 3501.

c. Ensure that they conduct a re-evaluation of PTAs and, when needed, PIAs following significant modifications to all applications and information systems, including websites.

d. Ensure that a PIA is conducted prior to use of a third-party website or application that collects PII.

e. Review completed PTAs and PIAs annually to ensure ongoing accuracy.



| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL |
 
| NODIS Library | Organization and Administration(1000s) | Search |

DISTRIBUTION:
NODIS


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.