Effective Date: July 26, 2022
Expiration Date: July 26, 2027
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL ||
a. The purpose of this document is to set forth the procedural requirements for safeguarding individual privacy through the protection of personally identifiable information (PII). PII which is collected, used, maintained, and disseminated by the National Aeronautics and Space Administration (NASA) will be protected regardless of format.
b. This NASA Procedural Requirement (NPR) is based on Federal requirements as listed in Section P.4, Applicable Documents and Forms.
a. This NPR is applicable to NASA Headquarters and NASA Centers, including Component Facilities and Technical and Service Support Centers.
b. For the purposes of this NPR, NASA Headquarters is regarded as a Center. Further, all stipulated Center requirements apply to NASA Headquarters.
c. This directive applies to contractors, recipients of grants, cooperative agreements, or other agreements only to the extent specified or referenced in the contracts, grants, or agreements. This directive is applicable to the Jet Propulsion Laboratory (JPL), a Federally Funded Research and Development Center (FFRDC), only to the extent specified in the NASA/Caltech Prime Contract.
d. This directive applies to PII collected, stored, used, processed, disclosed, or disseminated in any format for use by or on behalf of NASA and includes PII collections that are maintained externally through a contract, outsourced to, or operated by:
(1) Government-owned, contractor operated (GOCO) facilities;
(2) Partners under the National Aeronautics and Space Act; 51 U.S.C. § 20101, et seq;
(3) Partners under the Commercial Space Launch Act, as amended, 51 U.S.C. § 50913;
(4) Partners under cooperative agreements; or
(5) Commercial or university facilities.
e. External collections that are not gathered on behalf of NASA or are merely incidental to a contract (e.g., PII in a contractor's payroll and personnel management system) are excluded from this NPR and are considered non-NASA data.
f. This NPR does not apply to PII collected or maintained by NASA employees and contractors for personal use (e.g., contact information for family, relatives, and doctors), as allowed under NASA Interim Directive (NID) 2540.138, Acceptable Use of Government Furnished Information Technology Equipment, Services, and Resources.
g. In this directive, all mandatory actions (i.e., requirements) are denoted by statements containing the term "shall." The terms "may" or "can" denote discretionary privilege or permission, "should" denotes a good practice and is recommended but not required, "will" denotes expected outcome, and "are/is" denotes descriptive material.
h. In this directive all document citations are assumed to be the latest version unless otherwise noted. Documents cited as authority, applicable, or reference documents may be cited as a different categorization, which characterizes its function in relation to the specific context.
i. In this directive, the citation “Privacy Act of 1974, 5 U.S.C. § 552a” will be referred to as “Privacy Act” throughout.
a. The National Aeronautics and Space Act, 51 United States Code (U.S.C.), § 20101 et seq.
b. The E-Government Act of 2002, 44 U.S.C. § 3604 et seq.
c. Privacy Act of 1974, 5 U.S.C. § 552a.n
e. NPR 2810.1, Security of Information and Information Systems.
f. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev.5, Security and Privacy Controls for Information Systems and Organizations.
a. Creating Advanced Streamlined Electronic Services for Constituents Act of 2019, 5 U.S.C. § 101.
b. Plain Writing Act of 2010, 5 U.S.C. § 301.
c. Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506.
d. Applicability to National Security Systems, 40 U.S.C. § 11103(a).
e. Paperwork Reduction Act (PRA), 44 U.S.C. § 3501 et seq.
f. Federal Information Security Modernization Act of 2014, 44 U.S.C. § 3551 et seq.
g. Management and Promotion of E- Government Services, 44 U.S.C. § 3601
h. Social Security Number Fraud Prevention Act of 2017, 10 CFR spt. 9.301.
i. Privacy Act NASA Regulations, 14 CFR pt. 1212.
j. Protection of Privacy and Freedom of Information, 48 CFR pt. 24.
k. Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource (7/28/2016).
l. OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (09/30/2003).
m. OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy (02/11/2005).
n. OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information (05/22/2006).
o. OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments (07/12/2006).
p. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (05/22/2007).
q. OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (06/25/ 2010).
r. OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (06/25/2010).
s. NIST SP 800-122, Guide for Protecting the Confidentiality of Personally Identifiable Information (PII).
t. NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories.
u. NASA FAR Supplement 1824.1, Protection of Individual Privacy (09/2015).
v. NID 2540.138, Acceptable Use of Government Furnished Information Technology Equipment, Services and Resources.
w. NPR 1600.1, NASA Security Program Procedural Requirements
x. NPR 8000.4, Agency Risk Management Procedural Requirements.
y. NPR 2810.7, Controlled Unclassified Information.
z. NRRS 1441.1, NASA Records Retention Schedules.
aa. ITS-HBK-1382.03-01, Privacy - Collections, PIAs, and SORNs.
bb. ITS-HBK-1382.03-02, Privacy Annual Reporting Procedures: Reviewing and Reducing PII and Unnecessary Use of SSN.
cc. ITS-HBK-1382.04, Privacy and Information Security Overview.
dd. ITS-HBK-1382.05, Privacy Incident Response: Breach Response Team Checklist and Management.
ee. ITS-HBK-1382.06, Privacy Notice and Redress—Web Privacy and Written Notice, Complaints, Access, and Redress.
ff. ITS-HBK-1382.07, Privacy Awareness and Training.
gg. ITS-HBK-1382.08, Privacy Accountability.
hh. ITS-HBK-1382.09, Privacy Rules of Behavior and Consequences.
ii. ITS-HBK-2810.03, Planning.
jj. ITS-HBK-2810.06, IT Security Awareness, Training and Education.
kk. ITS-HBK-2810.09, Incident Response and Management.
ll. ITS-HBK-2810.11, Media Protection and Sanitization.
a. Measurement for this policy is determined by Federal regulatory and NASA privacy requirements. These measurements are based upon NASA's privacy goals and the objectives outlined by the Senior Agency Official for Privacy (SAOP).
b. The SAOP provides assessments and evaluations that consist of periodic reporting from the Centers and collecting information for the satisfaction of OMB and Federal Information Security Modernization Act of 2014, 44 U.S.C. § 3551 reporting requirements.
c. All entities in P.2 of this policy are subject to privacy compliance reviews and evaluations by NASA.
NPR 1382.1, NASA Privacy Procedural Requirements, July 10, 2013.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.