Privacy Assessment

ICR-PA_ViCAP_2022.pdf

ViCAP Case Submission Form

Privacy Assessment

OMB: 1110-0011

Document [pdf]
Download: pdf | pdf
[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]

United States Department of Justice
Office of Privacy and Civil Liberties (OPCL)

Information Collection Request–Privacy Assessment
Instructions & Template
(Revised 3/30/2018)

What is an Information Collection Request–Privacy Act Statement Assessment? An Information
Collection Request–Privacy Assessment (ICR–PA) assesses whether your ICR 1 contains a collection
instrument that requires privacy-related notices, either directly on the form, or on a separate form that can
be retained by the individual. Specifically, the ICR–PA is a tool used to assess whether the ICR requests
personally identifiable information(PII); 2 whether Privacy Act requirements apply to the ICR; what
system of records notices, if any, apply to the ICR; what information is necessary to prepare a legally
compliant Privacy Act Statement; and whether any other relevant privacy notices are required as part of a
component’s ICR.
Why is an Information Collection Request–Privacy Assessment necessary? The numerous
requirements regarding the collection of PII and ICRs are distinct, but very much related.
I.

The Privacy Act of 1974
Under the Privacy Act of 1974, 5 U.S.C. § 552a, a “record” 3 maintained in a “system of
records” 4 establishes certain collection, use, maintenance, and dissemination requirements for
Federal agencies, while also providing certain rights to individuals on whom the record
pertains. Specifically, each agency must provide a “Privacy Act Statement” when requesting
individuals to provide information to the agency that will be maintained as a record about the

1

For more information regarding the DOJ ICRs process, please review The Information Collection/Paperwork Reduction Act
Standards & Procedures.
2 The term “personally identifiable information” is defined as “information that can be used to distinguish or trace an individual’s
identity, either alone or when combined with other information that is linked or linkable to a specific individual.” OMB Circular
A-130, Managing Information as a Strategic Resource, 81 Fed. Reg. 49689 (July 28, 2016).
3 The term “record” means any item, collection, or grouping of information about an individual that is maintained by an agency,
including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that
contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger
or voice print or a photograph. 5 U.S.C. § 552a(a)(4).
4 The term “system of records” means a group of any records under the control of any agency from which information is retrieved
by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 5
U.S.C. § 552a(a)(5).

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
1

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
individual in a system of records. The Privacy Act Statement must appear on the form used to
collect the information or on a separate form that can be retained by the individual, and must
contain the following:
(A) the authority (whether granted by statute, or by executive order of the President)
which authorizes the solicitation of the information;
(B) whether disclosure of such information is mandatory or voluntary;
(C) the principal purpose or purposes for which the information is intended to be used;
(D) the routine uses which may be made of the information, as published pursuant to
paragraph (4)(D) of this subsection; and
(E) the effects on him, if any, of not providing all or any part of the requested
information. 5
The Privacy Act also places strict notice requirements when requesting Social Security
Numbers (SSNs). Specifically, if an agency requests an individual to disclose his/her SSN
(regardless of whether the number is part of a record maintained in a system of records), the
agency must inform the individual:
(A) whether that disclosure is mandatory or voluntary;
(B) by what statutory or other authority such number is solicited; and
(C) what uses will be made of it.
II.

OMB Memorandum M-17-06: Collecting Personally Identifiable Information Using an
Online Interface
OMB Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital
Services (Nov. 8, 2016), 6 places additional privacy requirements on information collections
that utilize an online interface (e.g., collecting information through a DOJ webpage). A
privacy notice must be provided, whenever feasible, where a Privacy Act Statement is not
required but members of the public could nonetheless provide PII to the agency using an
online interface. The privacy notice should include a brief description of the agency’s
practices with respect to the PII that the agency is collecting, maintaining, using, or
disseminating.

III.

The Paperwork Reduction Act
In an effort to avoid overburdening the public with federally sponsored data collections,
Congress passed the Paperwork Reduction Act of 1995, 44 U.S.C. §§ 3501–3521, which
requires Federal agencies to obtain Office of Management and Budget (OMB) approval
before requesting or collecting many types of information 7 from the public. To comply with
the Paperwork Reduction Act, Federal agencies must complete an ICR for submission to
OMB, prior to engaging in the collection of information, which consists of:

5

5 U.S.C. § 552a(e)(3).
Exec. Office of the President Memorandum for the Heads of the Executive Departments and Agencies, M-17-06, Off. of Mgmt.
& Budget (Nov. 8, 2016), https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf.
7 OMB regulations define “information” for purposes of the Paperwork Reduction Act as “any statement or estimate of fact or
opinion, regardless of form or format, whether in numerical, graphic, or narrative form, and whether oral or maintained on paper,
electronic or other media.” 5 C.F.R. 1320.3(h). This includes: “(1) requests for information to be sent to the government, such as
forms . . . written reports . . . and surveys . . . ; (2) recordkeeping requirements . . . ; and (3) third-party or public disclosures . . .
.” Office of Management and Budget Memorandum, Information Collection under the Paperwork Reduction Act” at 2 (Apr. 7,
2010).
6

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
2

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]

(A) a description of the information sought;
(B) the justification and authority for collecting the information sought;
(C) the process for carrying out the collection; and
(D) the estimated burden of the collection on respondents and the Government.
OMB requires each agency to provide certain privacy-related information as part of all
agency ICR requests. Specifically, OMB requires agencies to answer two questions
regarding the ICR when reported to OMB:
(A) Does this ICR request any personally identifiable information?
(B) Does this ICR include a form that requires a Privacy Act Statement?
Overall, the ICR–PA will assist components in properly answering OMB’s privacy-related questions, and
complying with relevant privacy laws and policies.
When should an Information Collection Request–Privacy Assessment be completed? An ICR–PA
should be completed as soon as a component determines that its ICR will utilize/develop an instrument
for the collection of information, or structured fields to collect information electronically. An ICR–PA
should be completed for any new information collections, or when seeking an extension for an existing
information collection that has not previously completed an ICR-PA. If the ICR contains multiple
collection instruments, a separate assessment should be completed for each instrument. Components must
complete the ICR-PA, and any required notices, prior to uploading the ICR request into the RISC and
OIRA Consolidated Information System (ROCIS), as detailed in The United States Department of Justice,
Information Collection/Paperwork Reduction Act Standards & Procedures.
Who should prepare the Information Collection Request–Privacy Assessment? An ICR–PA should
be completed by the Component Program Manager, and should be coordinated with the component PRA
Coordinator, Senior Component Official for Privacy (SCOP) (or other appropriate component privacy
representative), and the program-specific office responsible for the information collection.
Where should the prepared Information Collection Request–Privacy Assessment be sent? A
completed ICR-PA will certify to the Department Clearance Officer that the Program Manager has
accurately contemplated the new privacy-related questions, and can accurately answer the questions in its
ROCIS submission to OMB OIRA. Components should retain the ICR-PA in their internal records, which
can be requested at any time by the Department Clearance Officer or OPCL.
How is the ICR–PA related to a traditional Initial Privacy Assessment? An Initial Privacy
Assessments (IPA) is the first step in a process developed by OPCL to assist DOJ components identify
privacy compliance issues for DOJ information collections and systems. Specifically, the IPA is a tool
used to facilitate the identification of potential privacy issues, assess whether additional privacy
documentation is required, and ultimately, ensure the Department’s compliance with applicable privacy
laws and policies.
It is likely that an information collection sent through the ICR process that collects PII will be
required to meet additional privacy-related requirements, beyond those discussed in the ICR-PA.
It is highly recommended that you discuss the full collection, use, maintenance, and dissemination
processes related to this ICR with your SCOP as soon as you contemplate a new collection of
information.

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
3

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
NAME OF INFORMATION COLLECTION REQUEST:
OMB CONTROL NUMBER (IF APPLICABLE):
COMPONENT:
COMPONENT PRA COORDINATOR
Name: Hoang Kim Le
Office: Internal Policy Office
Phone: 202-324-5309
Bldg./Room Number: JEH/9798
Email: hkle@fbi.gov

PROGRAM MANAGER (OR PROGRAM MANAGER
DELEGATE)
Name: Nathan S Graham
Office: CIRG/BAU-4/ViCAP
Phone: 703-632-4309
Bldg./Room Number: Aquia
Email: nsgraham@fbi.gov

SENIOR COMPONENT OFFICIAL FOR PRIVACY
(where applicable) OR COMPONENT PRIVACY
POINT OF CONTACT
Name: Douglas Steenhuisen
Office: Privacy and Civil Liberties Unit
Phone: 202-324-5345
Bldg./Room Number: JEH
Email dsteenhuisen@fbi.gov

ICR-PA Certification & Signature
On behalf of my component, I certify that:
(1) I have reviewed all collection instruments associated with this ICR;
(2) I have completed the ICR-PA below for the collection instrument(s) associated with this ICR;
(3) I have coordinated closely with the component PRA Coordinator and SCOP (or other appropriate component
privacy representative) in assessing and answering each of the ICR-PA questions below;
(4) To the extent the collection instrument(s) associated with this ICR require(s) a privacy-related notice(s), I have
coordinated internally to ensure that the appropriate notice(s) has/have been drafted; that the notice(s) is/are
conspicuous, salient, clearly labeled, and written in plain language; and that the notice(s) is/are appropriately
displayed as required by law or policy; and
(5) I will reassess the information in this ICR-PA, in accordance with the Department’s ICR process, should the
instrument(s) associated with this ICR materially change.

Program Manager Name:

Nathan S Graham
_______________________________

Program Manager Signature:

_______________________________

Date signed:

07/26/2022
_______________________________

Digitally signed by Nathan Graham
DN: cn=Nathan Graham, o, ou, email=nathan.graham75@gmail.com, c=US
Date: 2019.04.04 10:27:04 -04'00'

Please prepare the ICR–PA per the guidance provided in the questions on the template
below. If the ICR contains multiple collection instruments an assessment should be
completed for each instrument

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
4

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]

ICR Instrument Name:

FD-676 - ViCAP Hard Copy Case Submission Form
_______________________________________

1110-0011
OMB Control Number (if applicable): _______________________________________

1. Which of the following describes the collection.
___ Electronic only.
___ Paper only.
✔ Combination paper/electronic.
___

2. Does the ICR include a collection instrument (either physical or electronic)?
✔ Yes. [If you marked “Yes,” proceed to question 3].
___

___ No. [If you marked “No,” STOP here. Additional privacy statements are not
necessary for this collection].
3. Please indicate if any of the following characteristics apply to the information collected:
(Check all that apply.)
✔ The information directly identifies specific individuals.
___

___ The information is intended to be used, in conjunction with other data elements, to
indirectly identify specific individuals.
___ The information can be used to distinguish or trace an individual’s identity (i.e., it
is linked or linkable to specific individuals).
[If you marked any of the above, proceed to question 4.]
___ None of the above.
[If you checked “None of the above,” STOP here. Additional privacy statements are not
necessary for this collection].
4. Is the component requesting an individual to disclose his/her Social Security Number (SSN)?
✔ No. [If you marked “No,” proceed to question 5].
___

___ Yes. [A SSN Statement may be required, pursuant to the Privacy Act. Coordinate
with your SCOP to draft an appropriate statement. Proceed to the next questions to
determine whether additional notifications are required].

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
5

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]

5. Is the component collecting the information using an online interface (e.g., a webpage)?
___ No. [If you marked “No,” proceed to question 6].
✔ Yes. [A privacy notice may be required, pursuant to OMB M-17-06. Coordinate
___
with your SCOP to draft an appropriate statement. Proceed to the next questions to
determine whether additional notifications are required].

6. Will information about United States citizens or lawfully admitted permanent resident aliens be
retrieved from the instrument by a personal identifier (e.g., by name)?
___ No. [If you marked “No,” STOP here. Additional privacy statements are not
necessary for this collection, but you may have additional privacy-related
requirements beyond those discussed in this ICR-PA. Consult your SCOP to
identify additional privacy-related requirements, if any.]
✔

___ Yes, [If you marked “Yes,” proceed to question 7].
7. Is there an existing Privacy Act System of Records Notice (SORN) that has been published in
the Federal Register that will sufficiently cover this new collection? (Please consult with your
component’s SCOP, Privacy Act officer, General Counsel, or OPCL if assistance is needed in
responding to this question.)
___ No. [If you marked “No,” contact your SCOP/OPCL. An accurate SORN must
be published before a component may collect this information].
✔

___ Yes. [If you marked “Yes,” proceed to question 8].
8. Does the existing SORN properly reflect this new information to be collected? (Please consult
with your component’s SCOP, Privacy Act officer, General Counsel, or OPCL if assistance is
needed in responding to this question.)
___ No. [If you marked “No,” contact your SCOP/OPCL. An accurate SORN must
be published before a component may collect this information].
✔
___
Yes. [A Privacy Act Statement may be required, pursuant to the Privacy Act.
Coordinate with your SCOP to draft an appropriate statement].

[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
6


File Typeapplication/pdf
AuthorOPCL
File Modified2019-04-04
File Created2018-03-30

© 2024 OMB.report | Privacy Policy