A privacy impact assessment (or “PIA”) is one of the most valuable tools Federal agencies use to ensure compliance with applicable privacy requirements and to manage privacy risks. Federal agencies are required to conduct and draft a PIA with sufficient clarity and specificity to demonstrate that the agency fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the agency activity and throughout the information life cycle.
Related Laws, Policies, and Resources:
E-Government Act of 2002
Section 208 of the E-Government Act requires all Federal agencies to conduct a PIA when developing or procuring new information technology involving the collection, maintenance, or dissemination of information in identifiable form or when making substantial changes to existing information technology that manages information in identifiable form.
OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016)
This Circular establishes general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services.
Model Privacy Impact Assessment for Agency Use of Third-Party Websites and Applications (December 29, 2011)
This Memorandum includes a model PIA that Federal agencies are required to use when preparing an adapted PIA before engaging the public through third-party websites and applications.
OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010)
This Memorandum requires Federal agencies to take specific steps to protect individual privacy whenever they use third-party websites and applications to engage with the public. Among other things, it modifies OMB Memorandum M-03-22 to require an adapted PIA when an agency’s use of a third-party website or application makes personally identifiable information available to the agency.
OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003)
This Memorandum provides information to agencies on implementing the privacy provisions of the E-Government Act of 2002. Among other things, it includes policies and guidelines for when and how to conduct a PIA.