Impact Assessment Guidance
Examples and Guides from Federal Agencies
Civil Liberties Impact Assessment Guidance
One of the ways in which the Office for Civil Rights and Civil Liberties (CRCL) advises the Department's leadership is through Civil Rights and Civil Liberties Impact Assessments. A CRCL Impact Assessment may be required by statute, requested by Department leadership or staff, or initiated by the Officer for Civil Rights and Civil Liberties.
The CRCL policy analysts who write CRCL Impact Assessments review various Department programs, policies, or activities to determine whether these Department initiatives have an impact on the civil rights or civil liberties of those affected by the initiative. CRCL policy analysts consider various types of questions when drafting an impact assessment. In the course of conducting the Impact Assessment, and in the final written document, CRCL may make recommendations for change.
These assessments are one of the many tools that CRCL employs to assist the Department in meeting its mission to "ensure that DHS programs, policies, regulations, and guidelines comply with and safeguard civil rights and civil liberties while supporting the needs of customers and the mission of DHS." 6 U.S.C. §345.
Privacy Impact Assessment Guidance
- Interagency Threat Assessment and Coordination Group (ITACG) (September 2010) – The Interagency Threat Assessment and Coordination Group (ITACG) was established in response to the recommendations of the 9/11 Commission, with the goal of improving information sharing between the National Counterterrorism Center and state, local and tribal governments. The ITACG facilitates information sharing by identifying national intelligence products that may be of use to state, local and tribal consumers, suggesting edits to make these products more useful to those consumers, and advocating within the intelligence community (IC) to ensure that state and local terrorist information needs are met. (15 pp. PDF)
- State, Local, and Regional Fusion Center Initiative (December 2008) – The Department's State, Local, and Regional Fusion Center Initiative facilitates information sharing between the Department and state and local governments. The Initiative provides resources and information to fusion centers to assist in their efforts to detect, prevent, and respond to criminal and terrorist activity. (9 pp. PDF)
The DHS Privacy Office offers "PIA Intensives."
In the December 2008 Privacy Impact Assessment (PIA) (42 pp. PDF)
of DHS support for fusion centers, the DHS Privacy Office identified a number of risks to privacy presented by the fusion center program and recommended that fusion centers conduct "their own PIAs to understand the processes and authorities unique to their jurisdictions." To assist fusion centers to conduct their own PIAs, the DHS Privacy Office will provide:
- an information packet and guidance on conducting PIA, and
- on-site or telephone coaching and training for fusion center Privacy Officers.
Interested in a "PIA Intensive" session? Contact us at FusionCenterTraining@dhs.gov.
More resources on how to conduct a PIA. Although these resources were developed by federal agencies, they offer comprehensive models for fusion centers seeking to conduct PIAs of new or existing programs and technology.
- DHS Privacy Threshold Analysis (July 2007) (5 pp. PDF) – This form is used by DHS to gather information necessary "to determine whether a Privacy Impact Assessment (PIA) is required under the E-Government Act of 2002 and the Homeland Security Act of 2002." It provides an example for organizations creating an analysis process.
- DHS Privacy Impact Assessment Template (19 pp. PDF) – The template provides the format for a privacy impact assessment (PIA) and instructions on how to complete the sections of the PIA.
- DOJ Privacy Threshold Analysis (3 pp. PDF) – The form used by Department of Justice (DOJ) to gather information necessary to determine whether a Privacy Impact Assessment (PIA) is required, and if so, whether a short-form or full PIA is needed.
More resources on setting up or refining privacy safeguards. These resources were developed by the DHS Privacy Office for DHS personnel. However, they provide samples of the processes, procedures, and guidelines that fusion centers may wish to put in place.
- Privacy Incident Handling Guidance (PIHG) (January 2012) (88 pp. PDF) – "The Department of Homeland Security (DHS) has a duty to safeguard personally identifiable information (PII) in its possession, and to prevent the compromise of PII in order to maintain the public’s trust in DHS. The Privacy Incident Handling Guidance (PIHG) serves this purpose by informing DHS and its components, employees, senior officials, and contractors of their obligation to protect PII, and by establishing procedures defining how they must respond to a privacy incident, which is the potential loss or compromise of PII."
- Handbook for Safeguarding Sensitive Personally Identifiable Information at DHS (October 2011) (23 pp. PDF) – "[T]he DHS Privacy Office’s Handbook for Safeguarding Sensitive PII at DHS...applies to every DHS employee, contractor, detailee, and consultant. The Handbook sets minimum standards for how all personnel should handle Sensitive PII at DHS."
Examples and Guides from Federal Agencies
The following are some of the Federal Agencies and Commissions that have made their Privacy Impact Assessment (PIA) guidance available on the Internet. Even if you are not required to complete a federal PIA, your agency may wish to view these as samples of how to approach the development of a PIA. They are generally organized in descending order of useful sample guidance for outside entities.
- General guidance from the Office of Management and Budget (OMB) which provides guidance for conducting a federal PIA.
- Department of Justice (DOJ) – Extensive background material on the topic and guidance on PIAs. Highlights include:
- Department of Homeland Security (DHS) (27 pp. PDF) – This May 2007 guidance from the DHS Privacy Office for DHS programs and systems offers a comprehensive list of questions to be answered in a PIA, a list of triggers for when to conduct a full PIA, and a discussion of the types of information subject to a PIA analysis. The DHS Privacy Officer is responsible for the DHS PIAs. Full-text PIAs conducted by DHS are on-line.