DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER DON

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) The Privacy Impact Assessment (PIA) Process The “Gouge” February 2021 MODERNIZE INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) PIA Topics § Do I Need a PIA? § The Process – Before You Begin – The Template w w Section One Section Two Section Three Section Four – Routing and Approval – After PIA is Approved 12/19/2021 MODERNIZE 2 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Do I Need a PIA? § Do. DI 5400. 16, DOD Privacy Impact Assessment (PIA) Guidance – A PIA is required on new and existing IT systems and electronic collections (i. e. , applications) that collect, maintain, use, or disseminate PII on members of the public, Do. D personnel, contractors, or foreign nationals employed at U. S. military facilities internationally. – When new uses of an existing IT system or application significantly change how PII is managed in the system (e. g. , migrating the system to the cloud). – Synchronized with the information system’s assessment and authorization cycle. Submit an updated PIA with new/current signatures in time to support the system/application’s RMF accreditation. § An approved PIA should be in place before any collection of PII by the IT system or application begins. § IT system/application “pilots” that utilize actual PII require an approved PIA. Utilizing actual PII should be avoided if possible. 12/19/2021 MODERNIZE 3 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Do I Need a PIA? § A “full” PIA is not required when: – No PII is collected. – Only Internal Government Operations (i. e. , business related) PII is collected (i. e. , name, office email, office phone, office address, badge number, position, pay grade, etc). – The IT system is a National Security System (NSS). – The information collected is ALL “unstructured information” (i. e. , email systems, shared drives, Share. Point portals, etc. ). Unstructured information refers to PII elements collected that are not or cannot be specified or listed. Most systems collect “structured information” (i. e. , the same PII elements are collected for each individual and can be identified). § Note: PIAs are not done on networks. They are done on the systems or applications that ride on the network. 12/19/2021 MODERNIZE 4 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Before You Begin § Ensure that DITPR DON/DADMS information is current and that all information in the PIA is consistent with what’s in DITPR DON/DADMS. For completing the PIA template, this would include the following: – General Tab (e. g. , System Name and acronym, DITPR DON ID, DITPR ID, UII) – FISMA Tab (e. g. , assessment and authorization information) – PIA/PA Tab (e. g. , collects PII; collects SSN; SSN justification memo; collects on Federal, Public, Both; SORN) – RM Tab (e. g. , records and disposition information) – Doc Tab (e. g. , SSN justification memo submitted in support of PIAv being processed for approval) 12/19/2021 MODERNIZE 5 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Before You Begin § System of Records Notice (SORN) – PIA requires: w SORN Identifier(s), or the w Date the new/modified SORN was forwarded to the Defense Privacy Civil Liberties and Transparency Division (DPCLTD) , i. e. , Do. D Privacy Office, or w If a SORN is not required, the reason why should be indicated. § OMB Control Number (for systems that collect information directly from 10 or more members of the public) – PIA requires: w The OMB Control number assigned, or a w Statement that the OMB package has been forwarded to DNS-15 (Navy) or ARDB (USMC) 12/19/2021 MODERNIZE 6 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Before You Begin § Contractor FAR Clauses w PIA requires the name of the contractor(s) (i. e. , the company name not individuals) and a statement that the required FAR clauses are in each contract w See Assistant SECNAV Sep 28, 2018 Memo, Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks § SSN Justification Memo w Required with each submission of a new or updated PIA with a “new”/current signature (This is at odds with Do. D’s every 2 year requirement) w Post the most current SSN Justification Memo, under the DOC Tab in DITPR DON w The memo must be signed by a Flag or General officer, an SES, or individual with by direction signature authority. 12/19/2021 MODERNIZE 7 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Before You Begin § Records Management w The NARA Job Number or General Records Schedule Authority must be listed if the system/application contains records. w If the system/application does not contain records, state this. 12/19/2021 MODERNIZE 8 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § 1. DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME: – Enter the information system (from DITPR DON) or electronic collection/application (from DADMS) name followed by the acronym in the text box. Ensure what you enter matches what is in DITPR DON or DADMS w Example: Naval Education and Training Future Officer and Citizenship User System (NETFOCUS) 12/19/2021 MODERNIZE 9 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § 2. DOD COMPONENT NAME – Pick “Department of the Navy” from the drop down list. – In the next text box insert either: w For Navy: the Echelon II Command. – Example: “Naval Sea Systems Command (NAVSEA)” (a subcommand can be included if desired) w For Marine Corps: United States Marine Corps followed by the Major Command. – Example: “United States Marine Corps – Marine Corps Installations Command (MCI)” § 3. PIA APPROVAL DATE – DON CIO will insert this when the final approval signature is made 12/19/2021 MODERNIZE 10 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § a. The PII is: (Check one. Note: foreign nationals are included in general public. ) – If no PII is collected or if only internal government operations (i. e. , business related) PII is collected, these are considered “abbreviated” PIAs and are handled internal to your command. w The DON CIO does not process or sign and does not require a copy. w IMPORTANT: DITPR DON/DADMS must be updated to indicate that either: – No PII is collected, or – That PII “is” collected but “A PIA (i. e. , full PIA) ‘is not’ required since the PII collected is low risk internal government operations (i. e. , business) related PII. ” Note: Internal government operations (i. e. , business) related PII (i. e. , name, office email, office phone, office address, badge number, position, pay grade, etc). 12/19/2021 MODERNIZE 11 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Abbreviated PIAs Two types: § No PII collected – w Complete the following fields of the PIA template: – DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME – DOD COMPONENT NAME – Section 1. a. Check “Not Collected” w Obtain command signatures. w Ensure DITPR DON or DADMS reflects that no PII is collected. w Maintain PIA locally (i. e. , DON CIO does not sign or require a copy) 12/19/2021 MODERNIZE 12 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Abbreviated PIAs § Internal Government Operations (i. e. , business) related PII collected: w Complete the following fields of the PIA template: – – DOD INFORMATION SYSTEM/ELECTRONIC COLLECTION NAME DOD COMPONENT NAME Section 1. a. Check appropriate box (usually “federal employees”) Section 2. a. List PII elements collected (should ALL be internal government operations PII elements. If in doubt, contact the DON CIO). w Obtain command signatures. w Ensure DITPR DON or DADMS reflects that PII is collected, a PIA is not required, and add the following to the text box on the PIA tab. “A PIA is not required since the PII collected is considered low risk and there would be little or no risk of harm to the individual if compromised. ” w Maintain the PIA locally (i. e. , DON CIO does not sign or require a copy). 12/19/2021 MODERNIZE 13 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § b. The PII is in a: (Check one) § Definitions: IT systems are registered in DITPR DON = “Do. D Information System” w A system is defined as any solution that requires a combination of two or more interacting, interdependent, and/or interoperable hardware, software, and/or firmware to satisfy a requirement or capability. Systems are registered in DITPR-DON and have a supporting budget displayed in PBIS-IT. Applications are registered in DADMS = “Electronic Collection” w An application is defined as any software application that uses an existing operating system software program to provide the user with a specific capability or function that is independent of other "applications. " If it is dependent on other applications it becomes a system. Applications are registered in DADMS. 12/19/2021 MODERNIZE 14 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § c. Describe the purpose of this Do. D information system or electronic collection and describe the types of personal information about individuals collected in the system. – Purpose should be clear and consistent with the DITPR DON/DADMS and the SORN. In many cases the description or purpose in DITPR DON/DADMS can be copied into the PIA. – “Describe” the PII collected and ensure its consistent with Section 2. a. of the PIA. Please ensure you answer this piece of the question. Most don’t. Easiest thing to do is list the same elements that are in Section 2, question a. § d. Why is the PII collected and/or what is the intended use of the PII? (e. g. , verification, identification, authentication, data matching, mission -related use, administrative use) – List one or more of the choices given in the parenthesis. That is all that is required. 12/19/2021 MODERNIZE 15 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § e. Do individuals have the opportunity to object to the collection of their PII? – If Yes, include the consequence(s) if the individual’s PII is not provided. – If No, the usual reason is that “PII is not collected directly from the individual. ” § f. Do individuals have the opportunity to consent to the specific uses of their PII? – Answer is usually No. If no, provide one of the following responses in the text box: “Once PII is provided by the individual, consent is assumed” or “PII is not collected directly from the individual”. 12/19/2021 MODERNIZE 16 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § g. When an individual is asked to provide PII, a Privacy Act Statement (PAS) and/or a Privacy Advisory must be provided. (Check as appropriate and provide the actual wording. ) – As the question states, please provide the actual wording of the PAS. – A PAS is required when collecting information directly from an individual. – If “Not Applicable” is checked, indicate why in the text box, e. g. , “PII is not collected directly from the individual”. 12/19/2021 MODERNIZE 17 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § h. With whom will the PII be shared through data exchange, both within your Do. D component and outside your Component? (Check all that apply) – Within the Do. D Component equates to Department of the Navy, both Navy and Marine Corps. – Other Do. D Components (i. e. , outside DON, but within Do. D) – Contractor: Include the name of the contractor(s) (i. e. , the company name not an individual’s name) and a statement as to whether the required FAR privacy clauses are included in the contract(s). http: //www. doncio. navy. mil/Content. View. aspx? id=10719 § i. Source of the PII collected is: (Check all that apply and list all information systems if applicable) – Self-explanatory – Ensure IT system names and acronyms are listed in the text if they are a source of PII. 12/19/2021 MODERNIZE 18 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § j. How will the information be collected? (Check all that apply and list all Official Form Numbers if applicable) – Self-explanatory – Ensure “Official Form Numbers” are listed Note: Unofficial forms should not be used. Contact OPNAV DNS-15 (Navy) or ARDB (USMC) if there is any question as to whether a form is an official form. § k. Does this Do. D Information system or electronic collection require a Privacy Act System of Records Notice (SORN)? – Provide either the SORN identifier(s) or the date the SORN was submitted to DPCLTD (i. e. , Do. D Privacy Office) or – Explain why a SORN isn’t required. Note: The SORN submission date may be obtained from DNS-36 (Navy) or ARSF (USMC). SORNs may NOT be submitted directly to DPCLTD by the command. 12/19/2021 MODERNIZE 19 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § l. What is the National Archives and Records Administration (NARA) approved, pending or general records schedule (GRS) disposition authority for the system or for the records maintained in the system? – Ensure all questions are answered or – Explain that the system or application does not contain any records. – Ensure that what is entered in the PIA is consistent with what is under the RM Tab in DITPR DON – The local, command, or Ech II Records Manager signing the PIA should provide this information. – The Record’s Manager’s signature is required in Section 4, block e. 12/19/2021 MODERNIZE 20 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § m. What is the authority to collect information? A Federal law or Executive Order must authorize the collection and maintenance of a system of records. For PII not collected or maintained in a system of records, the collection or maintenance of the PII must be necessary to discharge the requirements of a statue or Executive Order. – For a system or application that has a SORN or multiple SORNs, cut and paste the authorities listed in the SORN. The heading for each SORN listed should be in the following format: w SORN M 01040 -3, Marine Corps Manpower Management Information System Records (April 29, 2010, 75 FR 22570) authorities: w This information can be cut and pasted from the top of each SORN. w Then cut and past the authorities from the SORN under the heading you just created. – If the system or application does not require a SORN, explain why and list law(s), Executive Order(s), instruction(s), etc. that authorize the collection of PII. Note: If an authority listed in the SORN has been canceled or superseded, it may be replaced with the superseding authority. 12/19/2021 MODERNIZE 21 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 1: PII DESCRIPTION SUMMARY (FOR PUBLIC RELEASE) § n. Does this Do. D information system or electronic collection have an active and approved Office of Management and Budget (OMB) Control Number? – This number indicates OMB approval to collect data from 10 or more members of the public in a 12 month period regardless of form or format. – Follow directions in the PIA for yes, no, or pending. – Contact DNS-15 (Navy) or ARDB (USMC) if you have any question on how to submit a request for an OMB Control Number. This process can easily take 6 months or longer. – If your OMB package has been submitted to DNS-15, indicate this and the date submitted in the text box. 12/19/2021 MODERNIZE 22 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 2: PII RISK REVIEW § a. What PII will be collected (a data element alone or in combination that can uniquely identify an individual)? (Check all that apply) – In addition, for any other PII element not listed and for each broad category list the PII elements or describe the type of PII collected in the text box. (e. g. , Employment Information: employment history, credentials earned, salary level. ) – The broad categories include: Employment Information, Military Records, Disability Information, Education Information, Financial Information, Law Enforcement Information, Security Information, Child Information, Emergency Contact Information, Medical Information, Protected Health Information (PHI) § If the SSN is collected, complete the following questions. – Ensure the SSN Justification Memo is posted under the DOC Tab in DITPR DON/DADMS for the system/application. As mentioned above, a new memo is required for each PIA submission. – The list of 12 acceptable uses can be found on the DON CIO web site. http: //www. doncio. navy. mil/Content. View. aspx? id=1833 12/19/2021 MODERNIZE 23 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 2: PII RISK REVIEW § b. What is the PII confidentiality impact level? – Information security signatory determines this and provides response. § c. How will the PII be secured? – Information security signatory determines and provides response. – Include where the system or application servers are located. § d. What additional measures/safeguards have been put in place to address privacy risks for this information system or electronic collection? – Information security signatory determines and provides response. 12/19/2021 MODERNIZE 24 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 3: RELATED COMPLIANCE INFORMATION § a. Is this Do. D Information System registered in the Do. D IT Portfolio Repository (DITPR) or the Do. D Secret Internet Protocol Router Network (SIPRNET) Information Technology (IT) Registry or Risk Management Framework (RMF) tool? – – Note: this question is asking “DITPR” not “DITPR DON” If yes, List DITPR ID in first text box. Put RMF tool ID in third text box. Put DITPR DON ID or DADMS ID in large text box as a cross walk between the two system. 12/19/2021 MODERNIZE 25 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 3: RELATED COMPLIANCE INFORMATION § b. Do. D information systems require assessment and authorization under the Do. D Instruction 8510. 01, “Risk Management Framework for Do. D Information Technology”. – Ensure information provided for this question is consistent with information in the DITPR DON. § c. Does this Do. D information system have an IT Unique Investment identifier (UII), required by Office of Management and Budget (OMB) Circular A-11? – Provide the UII from the DITPR DON as applicable in the following format: w 007 -000001234 12/19/2021 MODERNIZE 26 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) SECTION 4: REVIEW AND APPROVAL SIGNATURES § Command required signatures: – Secretariat and Navy: w Block a: Program Manager or Systems Manager w Block b or c: Local or Echelon II privacy official w Block e: Local or Echelon II Records Manager w Block f: ISSM/security official at the local or Echelon II level – USMC w Block a: Program Manager or Systems Manager w Block b or c: Local or major command privacy official w Block b or c: ISSM/security official at the local or major command level w Block e: HQMC ARDB w Block f: HQMC C 4 CY § Final review and approval signatures: w Block d (Navy): OPNAV DNS-H, formerly DNS-36 w Block d (USMC): HQMC ARSF w Blocks g and h: DON CIO 12/19/2021 MODERNIZE 27 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) Routing and Approval § Program Manager completes template and forwards to the appropriate Echelon II Privacy Official for Navy and HQMC DCI for initial review. § Command signatures are obtained. § For Navy PIAs: PIA is forwarded to DON CIO for review. After review DON CIO forwards the PIA to OPNAV DNS-H for review and signature. OPNAV DNS-H returns PIA to DON CIO for final approval signature. § For Marine Corps PIAs: HQMC DCI reviews, signs and forwards the PIA to HQMC ARSF for review, coordination, and signatures. HQMC ARSF forwards the PIA to DON CIO for the final approval signature. § DON CIO approves and signs the PIA. 12/19/2021 MODERNIZE 28 INNOVATE DEFEND

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) After PIA is Approved § DON CIO posts the PIA summary (i. e. , section 1 only) to the DON CIO web site. § DON CIO forwards the approved PIA to stakeholders (the Echelon II privacy official for Navy; HQMC DCI and ARSF for the Marine Corps). § DON CIO forwards the approved PIA to Do. D CIO PIA Official. § DON CIO updates the DITPR DON. 12/19/2021 MODERNIZE 29 INNOVATE DEFEND