Effective Date: July 26, 2022
Expiration Date: July 26, 2027
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL ||
4.1.1 The Control chapter relates to NASA’s initiatives to manage the scope of data collection and processing in a manner that addresses privacy risks. Integrating privacy controls across multiple control families in NIST SP 800-53 Rev. 5 makes these controls much more visible in the overall assessment, authorization, and continuous monitoring processes for NASA information systems. Refer to ITS-HBK-1382.04.
4.1.2 Control of the collection and processing of privacy-related data is to incorporate privacy principals, such as data minimization and individual participation.
4.1.3 Data minimization is a critical aspect of NASA’s efforts to preserve individuals’ privacy; while NASA uses technical and policy means to protect sensitive personal information, such means are fallible, and the only assured method of protection is not to collect the information in the first place.
4.1.4 In cases where NASA collects privacy-related data, the means to manage those data are critical to protecting individuals’ privacy and the NIST SP 800-53, Rev. 5 control families are critical to achieving those goals.
18.104.22.168 NASA collects both sensitive and non-sensitive PII and manages that information according to these procedural requirements. The PII of NASA employees and its contractors is sensitive when so assessed through analysis of the data’s use and context. Sensitive PII is a subset of PII, which, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
22.214.171.124 The collection of PII during official government business is permitted when:
a. Such collection is authorized by law or Executive Order.
b. Federal and NASA privacy requirements are satisfied.
c. Such collection is otherwise necessary to a NASA program and/or its associated mission.
126.96.36.199 Specific information on collecting PII may be found in ITS-HBK-1382.03-01.
4.2.2 Procedural Requirements
188.8.131.52 The Administrator shall ensure, in accordance with Social Security Number Fraud Prevention Act of 2017, 10 CFR spt. 9.301, NASA does not include a social security number (SSN) on any NASA-developed document sent by physical mail unless:
a. The Administrator approves such inclusion; and
b. Inclusion is necessary because:
(1) Inclusion is required by law or regulation.
(2) An SSN is needed to identify a specific individual and no other substitute is available.
(3) Inclusion is needed to fulfill a compelling Agency business need.
184.108.40.206 The SAOP shall:
a. Limit the collection of PII to that which is legally authorized, consistent with Federal and NASA privacy requirements, and to the minimum extent necessary.
b. Ensure that PII is collected only when necessary for the proper performance of NASA’s functions and mission support.
c. Conduct annual review activities to reduce or eliminate unnecessary collections of PII.
220.127.116.11 The NASA CPO shall coordinate and direct annual NASA-wide review activities to reduce or eliminate unnecessary collections of PII.
18.104.22.168 The CPM shall:
a. Work with ISOs to ensure that all PII is maintained with accuracy, relevance, timeliness, and completeness.
b. Coordinate annual review activities at the Center level with ISOs to ensure PII is collected in accordance with this policy and to reduce or eliminate unnecessary collections of PII.
c. Work with ISOs to eliminate the unnecessary use of SSNs.
22.214.171.124 The ISO shall:
a. Eliminate the collection of information if the information is unnecessary to a NASA program and/or its associated mission.
b. Ensure that all privacy information is maintained with accuracy, relevance, timeliness, and completeness.
c. Ensure that Privacy Act records are collected and maintained in accordance with NASA Privacy Act policies.
d. Conduct annual review activities to reduce or eliminate unnecessary collections of PII.
e. Avoid the collection of SSNs, in accordance with NPD 1382.17, unless required by statute or some other requirement mandating the use of SSNs.
126.96.36.199 NASA Users shall:
a. Not include an SSN on any NASA-developed document sent by physical mail unless the Administrator approves such inclusion in accordance with section 188.8.131.52 of this directive. The process for gaining Administrator approval is governed by the CPO and detailed in ITS-HBK 1382.03-02, Privacy Annual Reporting Procedures: Reviewing and Reducing PII and Unnecessary Use of SSN.
b. Ensure, if ever including an SSN on a NASA-developed document sent by physical mail in accordance with section 184.108.40.206a of this directive:
(1) Where feasible, the SSN is partially redacted; and
(2) The SSN is not visible on the outside of any such package.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.