Privacy Impact Assessments PIAs

1

• Privacy Impact Assessments
  (PIAs) -
• USPS Process
• Center for Democracy Technology

Zoë Strickland Chief Privacy Officer
March 31, 2004
2
OUTLINE
Privacy Impact Assessments (PIAs) USPS Process

• Background
• Privacy Impact Assessment (PIA)
• Conclusion

3
USPS - Scope Model
BACKGROUND

• Scope
• 729,000 employees
• 37,579 retail locations 7M customer
  transactions daily
• 202B mail pieces yearly mail industry 8 of
  U.S. GDP
• One of largest govt. websites (approx. 650,000
  daily hits)
• 70 customer databases - 8 customer call centers
• 14,000 servers / 113,000 desktops / 20,000
  laptops
• Business Model
• Independent government entity
• Transformation Plan and Postal Reform

4
Develop Privacy Program
BACKGROUND

• People
• Policies
• Processes
• Publication

5
Privacy Impact Assessment (PIA)
PIA PROCESS OUTLINE

• What PIA description scope
• When Timing
• Who Roles
• How IT Life Cycle
• Why Benefits

6
What It Is
PRIVACY IMPACT ASSESSMENT (PIA)

• Questionnaire that
• Solicits pertinent information about system or
  program
• Addresses privacy requirements
• Establishes security requirements security plan
• Captures, assesses, and drives data practices
• Tool for other privacy compliance
• Format
• Question and answer format
• Factual open-ended questions

7
What PIA description scope
PRIVACY IMPACT ASSESSMENT (PIA)

• All information developed using postal resources,
  brand, or funding
• All technologies related to creating, collecting,
  or managing information
• All information systems, applications, networks,
  etc. operated by/for USPS
• Information resources supporting products
  services

8
When Timing
PRIVACY IMPACT ASSESSMENT (PIA)

• When Required
• New information resource
• Every three years
• Significant change to resource
• Timing in System Development
• Begins Business Plan development phase
• PIA process runs concurrent with security plan
  development (average 2-4 weeks)
• Ends Prior to deployment

9
Who Roles
PRIVACY IMPACT ASSESSMENT (PIA)

• Executive Sponsor (Developer and/or User)
• completion of and compliance with PIA
• submission of completed PIA to CPO CISO
• must sign acceptance of responsibility document -
  accountability
• Chief Privacy Officer (CPO)
• assist to complete and ensure compliance with
  privacy sections
• determination of sensitivity
• accountable for approving privacy sections
• Corporate Information Security Office (CISO)
• assist to complete security sections
  develop/comply with Security Plan
• determination of criticality
• accountable for approving security sections
  documenting negotiations

10
How IT Life Cycle
DEVELOP PRIVACY PROGRAM - PROCESSES

• Five phases with defined deliverables
• Consistent and repeatable process
• Documented risk mgmt approach
• Informed decision-making
• No surprises at the end!

BIA
11
Why Benefits
PRIVACY IMPACT ASSESSMENT (PIA)

• The PIA process ensures that compliance is
  designed into systems being developed or modified
  by business drivers.
• Information Obtained
• Application notice and description
• All privacy requirements
• Sensitivity determination
• Tool for Compliance Next Steps
• Privacy Act SOR
• Contract Clauses
• Online
• Governance
• Aids business decisions and drives data practices
  
• Integrates and accomplishes privacy and security
• Scope, Timing, and Role defined

12
Conclusion
PRIVACY IMPACT ASSESSMENT (PIA)

• PIA is a powerful tool
• - Integrating across organization
• - Ensuring good data management practices
  protections
• - Citizen / Customer - added layer of protection
• Integrate into privacy program
• Integrate into privacy community

13
Contact Information

Chief Privacy Officer Zoe
Strickland zoe.c.strickland_at_usps.gov privacy_at_us
ps.com

• PRIVACY OFFICE
• US POSTAL SERVICE
• 475 LENFANT PLZ SW RM 10407
• WASHINGTON DC 20260- 2200