Procedural
Requirements
Effective Date: July 26, 2022
Expiration Date: July 26, 2027
|
|
NASA Procedural Requirements |
NPR 1382.1B Effective Date: July 26, 2022 Expiration Date: July 26, 2027 |
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
5.1.1 The Communicate chapter describes NASA’s requirements to ensure notice has been provided to the public and that a mechanism (i.e., policies and procedures) is in place to allow an individual to request information NASA has collected about them and, if needed, to redress or correct their information.
5.1.2 NASA provides general notice to the public in a number of ways, including the publishing of PIAs, SORNs, Privacy Act Statements, and the NASA Web Privacy Policy and Important Notices (“NASA Web Privacy Policy”).
5.1.3 NASA Privacy Notice and Redress procedures are governed by 14 CFR pt. 1212 and governed by ITS-HBK-1382.06-01
.5.2.1 Overview
5.2.1.1 In accordance with the Privacy Act, a computer matching agreement and public notice of the proposed match will be published in the Federal Register before NASA matches any of its SORs with a SOR of another Federal entity or with non-Federal records.
5.2.1.2 Specific information on computer matching agreement requirements is detailed in ITS-HBK-1382.03-01.
5.2.2 Procedural Requirements
5.2.2.1 The NASA SAOP shall:
a. Establish a Data Integrity Board that is responsible for approving, overseeing, and coordinating the matching program before any ISO may engage in a computer matching program as defined by the Privacy Act.
b. Provide guidance on computer matching agreements.
5.2.2.2 The NASA PAO shall work with the ISO to prepare and publish a notice in the Federal Register at least 30 days in advance of the establishment or revision of a matching program.
5.2.2.3 The ISO shall work with the PAO to prepare and ensure publication of a notice in the Federal Register at least 30 days in advance of the establishment or revision of a matching program.
5.3.1 Overview
5.3.1.1 NASA websites that target children and collect PII from children under age 13 are required to provide conspicuous notice of the information collection practices, verifiable parental consent, and access, as defined by 15 U.S.C. §§ 6501-6506.
5.3.1.2 Specific information on 15 U.S.C. §§ 6501-6506 notice requirements is governed by ITS-HBK-1382.06-01.
5.3.2 Procedural Requirements
5.3.2.1 The CPO shall maintain Agency guidance for compliance with 15 U.S.C. §§ 6501-6506.
5.3.2.2 The ISO shall:
a. Ensure compliance with 15 U.S.C. §§ 6501-6506 for websites intended to be used by, or targeted to, children under the age of 13 that collect PII.
b. Ensure that notice is provided concerning what information is being collected from children by the operator, how the information will be used, and the operator’s disclosure practices.
c. Ensure verifiable parental approval is obtained for the collection, use, or disclosure of information from children.
d. Provide a process for parental review of information collected from the child.
e. Provide an opportunity for parental refusal to permit the operator’s future use of the information or future collection of information.
f. Provide a means for the parent to obtain the personal information collected from the child.
5.4.1 Overview
5.4.1.1 In accordance with the Privacy Act, individuals who are asked to provide information that will be maintained in a NASA Privacy Act SOR are required at the point of collection to be presented with a Privacy Act Statement (hereinafter referred to as a Privacy Act Statement).
5.4.1.2 The Privacy Act Statement requirement may be accomplished through a standalone paper-based statement, a statement on the paper or electronic form, or an electronic statement on a dedicated web page, any one of which may be retained by the individual.
5.4.1.3 Specific information on the form and contents of Privacy Act Statement requirements is governed by ITS-HBK-1382.03-01.
5.4.2 Procedural Requirements
5.4.2.1 The SAOP shall provide guidance on the use of Privacy Act Statements.
5.4.2.2 The NASA PAO shall work with the CPM to ensure the Privacy Act Statement meets the requirements of the Privacy Act.
5.4.2.3 The CPM shall work with ISOs and the PAO to ensure the Privacy Act Statement meets the requirements of the Privacy Act.
5.4.2.4 The ISO shall:
a. Ensure that individuals who are asked to provide information to be maintained in a Privacy Act SOR are presented at the point of collection with a Privacy Act Statement that:
(1) Is presented either on the information collection sheet or screen, or via a separate sheet or screen that the individuals can print and retain;
(2) Complies with the requirements outlined in 14 CFR pt.1212; and
(3) Is in a format that the individual may be able to retain in a physical or hard copy.
b. Ensure that new NASA forms or Center forms created for the collection of SOR information provide the correct and specific Privacy Act Statement for that SOR.
5.5.1 Overview
5.5.1.1 In accordance with the Privacy Act, a SORN is required for each NASA SOR containing information on individuals from which records are retrieved by an individual identifier (i.e., name of the individual or by some unique number, symbol, or other identifier assigned to an individual), unless the SOR is limited to work-related information, (e.g., work e-mail or work phone number).
5.5.1.2 A SORN is required to be published in the Federal Register prior to any collection or new use of information in a Privacy Act system.
5.5.1.3 Specific information on the review, approval, and publication requirements for a SORN is detailed in ITS-HBK-1382.03-01.
5.5.2 Procedural Requirements
5.5.2.1 The SAOP shall:
a. Provide guidance on the development and publication of SORNs in such way that limits the formulation of inferences about individuals’ behavior or activities.
b. Review and issue all SORNs for publication in the Federal Register.
5.5.2.2 The NASA PAO shall:
a. Review and revise draft SORNs in cooperation with the system manager.
b. Coordinate the Agency and OMB reviews of SORNs and obtain SAOP signature for SORN submission to the Federal Register for publication through the NASA Federal Register Liaison Officer.
c. Coordinate with CPMs in determining whether an existing NASA or other government SORN covers Privacy Act records maintained by NASA.
5.5.2.3 The CPM shall:
a. Work with ISOs in identifying the need for a Privacy Act SORN.
b. Assist the ISO in drafting a SORN for publication in the Federal Register, if not already covered under an existing SORN.
c. Provide the NASA PAO with draft SORNs, as required.
d. Conduct SORN reviews, as required.
e. Coordinate the review and approval of new draft SORNs and Privacy Act notice updates with ISOs and the NASA PAO.
5.5.2.4 The ISO shall:
a. Limit the maintenance of Privacy Act records on individuals that are retrievable by name or other personal identifier to only those instances for which a Privacy Act SORN has been published in the Federal Register.
b. Provide draft content to enable the PAO to complete a SORN for publication in the Federal Register, if not already covered under an existing SORN.
c. Work with the CPM and the NASA PAO to publish a SORN in the Federal Register.
5.6.1 Overview
5.6.1.1 Except as provided in this paragraph, all publicly facing NASA websites are to link to the NASA Web Privacy Policy. This includes websites that are operated under contract that are deemed to be maintained by the Agency and all websites operated on behalf of the Agency. Posting the NASA Web Privacy Policy is not required if:
a. A website contains no “Government information,” as defined in OMB Circular A-130 (i.e., information created, collected, processed, disseminated, or disposed of by or for the Federal Government);
b. A website is an Agency intranet website accessible only by authorized NASA users; or
c. A website is a National Security system, as defined by Applicability to National Security Systems, 40 U.S.C. § 11103(a), or as exempt from the definition of information technology, as defined in Section 202(i) of Management and Promotion of Electronic Government Services, 44 U.S.C. § 3601.
5.6.1.2 In accordance with OMB M-10-23, the NASA Web Privacy policy is to be included on official NASA websites and applications hosted on third-party websites and applications. Specific information on privacy notice requirements is detailed in ITS-HBK-1382.06-01.
5.6.2 Procedural Requirements
5.6.2.1 The NASA CIO shall, subject to the conditions of Section 5.3.2:
a. Ensure the NASA Web Privacy Policy is posted (or linked to) all public facing NASA websites.
b. Ensure the NASA Web Privacy Policy is posted (or linked to) on official NASA websites and applications hosted on third-party websites and applications.
c. Make the NASA Web Privacy Policy available through the NASA website.
d. Ensure that the NASA Web Privacy Policy is translated into a standardized machine-readable format.
5.6.2.2 The SAOP shall:
a. Ensure the NASA Web Privacy Policy:
(1) Includes description of the information being collected.
(2) Includes the purpose for the collection.
(3) Includes the official use of, or need for, the collected information.
(4) Specifies what information NASA collects automatically (e.g., user’s internet protocol (IP) address, location, and time of visit) and identifies the use for which it is collected (e.g., site management or security purposes).
(5) Informs visitors as to whether their provision of the requested information is voluntary.
(6) Informs visitors on how to grant consent for the use of voluntarily provided information.
(7) Informs visitors on how to grant consent for NASA to utilize the information that the website collects for a use other than statutorily mandated or authorized routine uses under the Privacy Act.
(8) Notifies visitors of their rights under the Privacy Act for SOR.
(9) Incorporates information to meet the requirements of 15 U.S.C. §§ 6501-6506, where needed.
(10) Includes information on the redress mechanism.
(11) Notifies visitors as to how the Agency handles unsolicited e-mail, including the fact that the sender’s privacy is not guaranteed.
b. Disclose, in the applicable NASA Web Privacy Policy, a third party’s involvement in Agency applications when they are embedded within a NASA website.
5.6.2.3 The Center CIO shall:
a. Examine and monitor the third party’s privacy policy when the Center uses a third-party website or application to evaluate risk and determine whether its use is acceptable to NASA.
b. Ensure the NASA Web Privacy Policy is incorporated into all Center public-facing NASA websites.
5.6.2.4 The CPO shall:
a. Review the NASA Web Privacy Policy to ensure compliance with this NPR and Federal requirements.
b. Recommend updates to the NASA Web Privacy Policy when needed.
5.6.2.5 The CPM shall assist the Center CIO in ensuring the NASA Web Privacy Policy is incorporated into all Center public facing NASA websites.
5.6.2.6 The ISO shall:
a. Ensure that privacy policies clearly and concisely inform visitors of the collection of PII.
b. Ensure that Privacy Act notification is provided to anyone entering an information system containing Privacy Act records.
c. Incorporate the NASA Web Privacy Policy into public-facing NASA websites.
5.7.1 Overview
5.7.1.1 Web measurement and customization technologies are used “... to remember a user’s online interactions with a website or online application in order to conduct measurement and analysis of usage or to customize the user’s experience” per OMB M-10-22. The use of this technology is permitted to improve NASA’s online services; however, the use and notice requirements as outlined by OMB and NASA requirements are to be first be satisfied.
5.7.1.2 Specific information on when and how these technologies may be used at NASA is detailed in ITS-HBK-1382.06-01.
5.7.2 Procedural Requirements
5.7.2.1 The SAOP shall:
a. Ensure the NASA Privacy Policy describes the use of third-party websites and applications, as outlined by OMB.
b. Evaluate and approve or disapprove waivers for Web Measurement and Customization Technology that collects PII prior to use of that technology, as defined in ITS-HBK-1382.06, and annually thereafter.
5.7.2.2 The Center CIO shall approve any multi-session Web Measurement and Customization Technology prior to use when no PII is collected as defined in ITS-HBK-1382.06-01, and annually thereafter.
5.7.2.3 The NASA CPO shall advise the SAOP on web measurement and customization technology use at NASA.
5.7.2.4 The CPM shall advise the ISO on web measurement and customization technology use and requirements.
5.7.2.5 The ISO shall:
a. Ensure Web Measurement and Customization Technology use is compliant with requirements outlined in ITS-HBK-1382.06-01.
b. Ensure that the website utilizing approved Web Measurement and Customization Technology provides clear and conspicuous notice concerning the use of the technology and includes:
(1) The nature of the information collected.
(2) The purpose and use of the information.
(3) Whether, and to whom, the information will be disclosed.
(4) What privacy safeguards are applied to the information collected.
(5) Consequences to the visitor, or NASA user, of opting out.
c. Seek a waiver from the SAOP to use Web Measurement and Customization Technology when required, as described in ITS-HBK-1382.06-01.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
| | NODIS Library | Organization and Administration(1000s) | Search | |
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.