Resources for Conducting a PIA

A Privacy Impact Assessment (PIA) is an analytical process that evaluates the possible privacy risks (and the mitigation of those risks) by applying the Fair Information Practice Principles (FIPPs) to your review of a fusion center system. A PIA examines how a fusion center has incorporated privacy concerns throughout its development, design, and deployment of a technology, program, or process.

When Should I Conduct a PIA? You may conduct a PIA at any point in the life cycle of a program or procedure; however, it is especially helpful when standing up a new system. While you may conduct a PIA on an existing system, adding any privacy protections that you have identified in the course of writing the PIA may be more costly and may even affect the viability of the system. In addition, your PIA is a living document that needs to be updated periodically as your programs and systems are changed and updated, not just at the time of deployment.

PIAs Enhance Fusion Center Transparency - If you choose to make the resulting PIA document public, you will foster public trust by demonstrating transparency in your fusion center initiatives. The Department of Homeland Security (DHS) publishes its PIAs, on its website. A good model for you to consider is the PIA on DHS support for the national network of fusion centers (42pp | 320kb | PDF).

Step-by-Step Mini-guide on conducting a PIA

  1. Background Reading:
  2. Develop your fusion center policy on PIAs (5pp | 270kb | PDF) being sure that it remains consistent with your P/CRCL Policy. This policy will set out the procedure for completing, approving, and disseminating PIAs at your fusion center.
    • After developing the policy on PIAs you should consider conducting a PIA on fusion center operations(6pp | 53kb | DOC). This overarching PIA provides a bird's eye view of privacy concerns at your fusion center.
  3. Coordinate with appropriate IT personnel to develop an understanding of the system. Information such as what data will be shared, under what circumstances the information will be shared, who the information will be shared with, etc. will allow you to manage the PIA process with more confidence.
  4. Work with fusion center personnel to complete the model Privacy Threshold Analysis (PTA) (5pp | 232kb | PDF) to determine if a PIA is needed.
    • Determine with the assistance of legal counsel whether the results of the PTA indicate that a PIA is required. This determination is based upon weighing the answers to the questions on the PTA. In general, any new data system (especially ones collecting Personally Identifiable Information or PII) should be subject to a PIA. One tell-tale sign that a PIA may be required is if the system stores, uses, or otherwise maintains PII (at page 6)(38pp | 983kb | PDF).
  5. If the PTA reveals the need for a PIA, conduct a PIA on your fusion center program or IT system technology using this template (6pp | 53kb | DOC) modeled from the DHS PIA Template.
    • Identify, analyze and assess the risks associated with information systems regarding privacy of data and stored information.
    • Develop policies that specifically address and mitigate any discovered risks. These can include enhanced security features (technological and/or physical), updated records retention schedule, audit requirements, and challenge processes for data that originates in other systems.
  6. As a result of conducting the PIA, privacy policies and processes that were identified as vulnerabilities may need to be mitigated.
    • Review your P/CRCL Policy to determine if updates are needed.
  7. Often a recommendation in a PIA is to implement policy controls and conduct periodic audits to ensure compliance. Ensure that you develop an appropriate timeline for conducting audits and other compliance checks.

Source: The DHS Office for Civil Rights and Civil Liberties and the DHS Privacy Office developed this page using Guide to Conducing PIAs for State, Local, and Tribal Information Sharing Initiatives(38pp | 983kb | PDF).

Last date page updated: 8/16/13 (CRCL)