Download:
pdf |
pdf[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
United States Department of Justice
Office of Privacy and Civil Liberties (OPCL)
Information Collection Request-Privacy
Instructions & Template
Assessment
(Revised 3/30/2018)
What is an Information Collection Request-Privacy Act Statement Assessment? An Information
Collection Request-Privacy
Assessment (ICR-PA) assesses whether your ICR I contains a collection
instrument that requires privacy-related notices, either directly on the form, or on a separate form that can
be retained by the individual. Specifically, the ICR-PA is a tool used to assess whether the ICR requests
personally identifiable information(PII);2 whether Privacy Act requirements apply to the ICR; what
system of records notices, if any, apply to the ICR; what information is necessary to prepare a legally
compliant Privacy Act Statement; and whether any other relevant privacy notices are required as part of a
component's ICR.
Why is an Information Collection Request-Privacy Assessment necessary? The numerous
requirements
I.
regarding the collection of PH and ICRs are distinct, but very much related.
The Privacy Act of 1974
Under the Privacy Act of 1974,5 U.S.C. § 552a, a "record,,3 maintained in a "system of
records,,4 establishes certain collection, use, maintenance, and dissemination requirements for
Federal agencies, while also providing certain rights to individuals on whom the record
pertains. Specifically, each agency must provide a "Privacy Act Statement" when requesting
individuals to provide information to the agency that will be maintained as a record about the
I For more information regarding the DO] ICRs process, please review The Information Collection/Paperwork
Reduction Act
Standards & Procedures.
2 The term "personally identifiable information" is defined as "information that can be used to distinguish or trace an individual's
identity, either alone or when combined with other information that is linked or linkable to a specific individual." OMB Circular
A-130, Managing Information as a StrategiC Resource, 81 Fed. Reg. 49689 (July 28, 2016).
J The term "record" means any item, collection, or grouping of information about an individual that is maintained by an agency,
including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that
contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger
or voice print or a photograph. 5 U.S.c. § 552a(a)(4).
4 The term "system of records" means a group of any records under the control of any agency from which information is retrieved
by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 5
U.S.c. § 552a(a)(5).
[INSERT CLASSIFICATION/CONTROL MARKINGS, IF APPROPRIATE]
1
�[INSERT CLASSIFICATION/CONTROL
MARKINGS, IF APPROPRIATE)
individual in a system of records. The Privacy Act Statement must appear on the form used to
collect the information or on a separate form that can be retained by the individual, and must
contain the following:
(A) the authority (whether granted by statute, or by executive order of the President)
which authorizes the solicitation of the information;
(B) whether disclosure of such information is mandatory or voluntary;
(C) the principal purpose or purposes for which the information is intended to be used;
(D) the routine uses which may be made of the information, as published pursuant to
paragraph (4)(0) of this subsection; and
(E) the effects on him, if any, of not providing all or any part of the requested
information.5
The Privacy Act also places strict notice requirements when requesting Social Security
Numbers (SSNs). Specifically, if an agency requests an individual to disclose his/her SSN
(regardless of whether the number is part of a record maintained in a system of records), the
agency must inform the individual:
(A) whether that disclosure is mandatory or voluntary;
(B) by what statutory or other authority such number is solicited; and
(C) what uses will be made of it.
II.
OMB Memorandum M-17-06: Collecting Personally Identifiable Information Using an
Online Interface
OMB Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital
Services (Nov. 8,2016),6 places additional privacy requirements on information collections
that utilize an online interface (e.g., collecting information through a DO] webpage). A
privacy notice must be provided, whenever feasible, where a Privacy Act Statement is not
required but members of the public could nonetheless provide PH to the agency using an
online interface. The privacy notice should include a brief description of the agency's
practices with respect to the PH that the agency is collecting, maintaining, using, or
disseminating.
III.
The Paperwork Reduction Act
In an effort to avoid overburdening the public with federally sponsored data collections,
Congress passed the Paperwork Reduction Act of 1995, 44 U.S.C. §§ 3501-3521, which
requires Federal agencies to obtain Office of Management and Budget (OMB) approval
before requesting or collecting many types of information 7 from the public. To comply with
the Paperwork Reduction Act, Federal agencies must complete an ICR for submission to
OMB, prior to engaging in the collection of information, which consists of:
5 U.S.c. § 552a(e)(3).
Exec. Office of the President Memorandum for the Heads of the Executive Departments and Agencies, M-17-06, Off. ofMgmt.
& Budget (Nov. 8, 2016), https:llwww.whitehouse.gov/sites/whitehouse.gov/files/omb/memorandaJ20
17/m-17-06.pdf.
70MB regulations define "information" for purposes of the Paperwork Reduction Act as "any statement or estimate of fact or
opinion, regardless of form or format, whether in numerical, graphic, or narrative form, and whether oral or maintained on paper,
electronic or other media." 5 C.F.R. I 320.3(h). This includes: "(I) requests for information to be sent to the government, such as
forms ... written reports ... and surveys ... ; (2) recordkeeping requirements ... ; and (3) third-party or public disclosures ...
." Office of Management and Budget Memorandum, Information Collection under the Paperwork Reduction Act" at 2 (Apr. 7,
2010).
5
6
[INSERT CLASSIFICATION/CONTROL
2
MARKINGS, IF APPROPRIATE]
�[INSERT CLASSIFICATION/CONTROL
(A)
(B)
(C)
(D)
MARKINGS, IF APPROPRIATE]
a description of the information sought;
the justification and authority for collecting the information sought;
the process for carrying out the collection; and
the estimated burden of the collection on respondents and the Government.
OMB requires each agency to provide certain privacy-related information as part of all
agency ICR requests. Specifically, OMB requires agencies to answer two questions
regarding the ICR when reported to OMB:
(A) Does this ICR request any personally identifiable information?
(B) Does this ICR include a form that requires a Privacy Act Statement?
Overall, the ICR-PA will assist components in properly answering OMB's privacy-related questions, and
complying with relevant privacy laws and policies.
When should an Information Collection Request-Privacy Assessment be completed? An ICR-PA
should be completed as soon as a component determines that its ICR will utilize/develop an instrument
for the collection of information, or structured fields to collect information electronically. An ICR-PA
should be completed for any new information collections, or when seeking an extension for an existing
information collection that has not previously completed an ICR-PA. If the ICR contains multiple
collection instruments, a separate assessment should be completed for each instrument. Components must
complete the ICR-PA, and any required notices, prior to uploading the ICR request into the RISC and
OIRA Consolidated Information System (ROCIS), as detailed in The United States Department of Justice,
Information Collection/Paperwork Reduction Act Standards & Procedures.
Who should prepare the Information Collection Request-Privacy Assessment? An ICR-PA should
be completed by the Component Program Manager, and should be coordinated with the component PRA
Coordinator, Senior Component Official for Privacy (SCOP) (or other appropriate component privacy
representative), and the program-specific office responsible for the information collection.
Where should the prepared Information Collection Request-Privacy Assessment be sent? A
completed ICR-PA will certify to the Department Clearance Officer that the Program Manager has
accurately contemplated the new privacy-related questions, and can accurately answer the questions in its
ROCIS submission to OMB OIRA. Components should retain the ICR-PA in their internal records, which
can be requested at any time by the Department Clearance Officer or OPCL.
How is the ICR-PA related to a traditional Initial Privacy Assessment? An Initial Privacy
Assessments (lPA) is the first step in a process developed by OPCL to assist DO] components identify
privacy compliance issues for DO] information collections and systems. Specifically, the IPA is a tool
used to facilitate the identification of potential privacy issues, assess whether additional privacy
documentation is required, and ultimately, ensure the Department's compliance with applicable privacy
laws and policies.
It is likely that an information collection sent through the ICR process that collects PH will be
required to meet additional privacy-related requirements, beyond those discussed in the ICR-PA.
It is highly recommended that you discuss the full collection, use, maintenance, and dissemination
processes related to this ICR with your SCOP as soon as you contemplate a new collection of
information.
[INSERT CLASSIFICATION/CONTROL
3
MARKINGS, IF APPROPRIATE]
�[INSERT CLASSIFICATION/CONTROL
NAME OF INFORMATION
COLLECTION
OMB CONTROL
(IF APPLICABLE):
COMPONENT:
NUMBER
MARKINGS, IF APPROPRIATE]
REQUEST:
Crime Data ExplorerFeedback Survey
1110-0073
CriminalJustice InformationServices (CJIS) Division/FederalBureau of Investigation(FBI)
COMPONENT PRA COORDINATOR
Name: Malissa C. Vavra
Office: Crime and Law Enforcement Statistics Unit
Phone: 304-625-3010
Bldg'/Room Number: CJISlDl
Email: mcvavra@fbi.gov
PROGRAM MANAGER (OR PROGRAM
DELEGATE)
Name: Edward L.Abraham
Office: Crimeand Law EnforcementStatistics Unit
Phone: 304-625-4830
Bldg'/Room Number: CJISID1
Email: elabraham@fbi.gov
MANAGER
SENIOR COMPONENT OFFICIAL FOR PRIVACY
(where applicable) OR COMPONENT PRIVACY
POINT OF CONTACT
Name: Katherine M. Bond
Office: Privacyand CivilLiberties
Phone: 304-625-3190
Bldg'/Room Number: CJIS/C3
Email kmbond@fbi.gov
ICR-PA Certification
& Signature
On behalf of my component,
I certify that:
(1) I have reviewed all collection instruments associated with this ICR;
(2) I have completed the ICR-PA below for the collection instrument(s) associated with this ICR;
(3) I have coordinated closely with the component PRA Coordinator and SCOP (or other appropriate component
privacy representative) in assessing and answering each of the ICR-PA questions below;
(4) To the extent the collection instrument(s) associated with this ICR require(s) a privacy-related notice(s), I have
coordinated internally to ensure that the appropriate notice(s) has/have been drafted; that the notice(s) is/are
conspicuous, salient, clearly labeled, and written in plain language; and that the notice(s) is/are appropriately
displayed as required by law or policy; and
(5) I will reassess the information in this ICR-PA, in accordance with the Department's ICR process, should the
instrument(s) associated with this ICR materially change.
Program Manager Name:
Program Manager Signature:
Date signed:
EdwardL.Abraham
!J.d| File Type | application/pdf |
| File Modified | 0000-00-00 |
| File Created | 2024-05-20 |