Download:
pdf |
pdfPrivacy Impact Assessment
DHS/XXX/PIA-0XX [Title]
Page 4
Privacy Impact Assessment
for the
Individuals and Households Program
Equity Analysis
DHS Reference No. DHS/FEMA/PIA-057
June 30, 2022
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 1
Abstract
The Federal Emergency Management Agency (FEMA), Office of Response and Recovery
(ORR), Individual Assistance (IA) Division will manage the Individuals and Households
Program (IHP) Equity Analysis project. The purpose of this project is to collect and analyze
information from FEMA applicants to ensure the equitable and impartial distribution of supplies,
processing of applications, and performance of other relief and assistance activities, in accordance
with section 308(a) of the Stafford Act, which prohibits discrimination on grounds of race, color,
religion, nationality, sex, age, disability, English proficiency, or economic status. The purpose of
collecting and using this information is to (1) enhance equity in the provision of FEMA’s services
and benefits; (2) improve the effectiveness of communications to the public on accessing
programs, such as by removing barriers to application, qualification, and award of services while
enhancing programmatic accessibility and equity; and (3) determine whether the individuals who
apply for, receive, or continue to receive disaster assistance and benefits can do so in a nondiscriminatory and equitable manner. This Privacy Impact Assessment (PIA) addresses FEMA’s
collection and use of applicant demographic data including the combination of applicant
demographic data with Individual Assistance registration and assistance records and customer
satisfaction survey data.
Introduction
The FEMA Office of Response and Recovery, Recovery Front Office is establishing a
new Office of Equity and Strategic Initiatives (OES) to support the Directorate’s commitment to
long-term implementation of strategic priorities with an emphasis on diversity, equity, and
inclusion in the FEMA organization and program delivery. The Office of Equity and Strategic
Initiatives will also coordinate directly with FEMA’s Recovery Divisions, the Office of Equal
Rights (OER), the Office of Policy and Program Analysis (OPPA), and the FEMA Equity
Executive Steering Group alongside other FEMA equity groups. The Recovery Equity Officer
will also fall under the Office of Equity and Strategic Initiatives and will chair a newly established
Equity Council for the Directorate.
In alignment with the strategic priorities and to implement the FEMA Equity Analysis
project, the Office of Response and Recovery, Individual Assistance Division will collect and
use demographic records, registration and assistance records, and customer satisfaction survey
records from applicants for disaster assistance through the FEMA Individuals and Households
Program to assess its civil rights, nondiscrimination and equity requirements, and obligations.
These requirements and obligations are outlined in federal civil rights laws such as Title VI of
the Civil Rights Act of 1964, 42 U.S.C. § 2000d, section 504 of the Rehabilitation Act of 1973,
29 U.S.C. § 794, and section 308 of the Robert T. Stafford Disaster Relief and Emergency
Assistance Act (Stafford Act).
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 2
This Privacy Impact Assessment covers FEMA’s Office of Response and Recovery,
Individual and Households Program’s new collection of demographic information on Individual
Assistance applicants (covered under Office of Management and Budget (OMB) Information
Collection Request (ICR) 1660-NW133: Generic Clearance for Civil Rights and Equity) and the
combination of that demographic data with data from other sources, including applicant
registration and assistance records (OMB 1660-0002) and customer satisfaction survey records
(OMB 1660-0029, 1660-0130, 1660-0143, and 1660-0145) to assess equity in Individual
Assistance programs. FEMA needs additional demographic data concerning individuals who
participate in or benefit from FEMA programs and activities to ensure accessibility and
distributional equity1 in such programs and activities and to make alterations to FEMA programs
and policies or pivot the direction of FEMA disaster response activities based upon identified
areas of concern. For information regarding FEMA’s collection, maintenance, and use of
personally identifiable information for the provision of disaster assistance generally, please
review the Individual Assistance (IA) Program Privacy Impact Assessment.2 Likewise, the
Enterprise Customer Survey System Privacy Impact Assessment3 outlines FEMA’s collection,
maintenance, and use of Individual Assistance applicant survey data to generally measure
customer satisfaction.
Background
Section 308 of the Stafford Act requires FEMA to ensure that the “distribution of supplies,
the processing of applications, and other relief and assistance activities shall be accomplished in
an equitable and impartial manner, without discrimination on the grounds of race, ethnicity,
nationality, gender, age, disability, Tribal enrollment, educational level, English proficiency,
marital status, economic status, or other protected bases.” Although FEMA’s policies are facially
nondiscriminatory, FEMA has not had access to sufficient demographic data to demonstrate
compliance with statutory equity requirements nor has it been able to appropriately assess the
Equity is defined as “the consistent and systematic fair, just, and impartial treatment of all individuals, including
individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino,
and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color;
members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with
disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or
inequality” See Executive Order on Advancing Racial Equity and Support for Underserved Communities Through
the Federal Government, Exec. Order No. 13985, 89 Fed. Reg. 7009 (Jan. 25, 2021),
https://www.federalregister.gov/documents/2021/01/25/2021-01753/advancing-racial-equity-and-support-forunderserved-communities-through-the-federal-government.
2
See U.S. DEPARTMENT OF HOMELAND SECURITY, FEDERAL EMERGENCY MANAGEMENT AGENCY, PRIVACY IMPACT
ASSESSMENT FOR THE INDIVIDUAL ASSISTANCE (IA) PROGRAM, DHS/FEMA/PIA-049 (2018), available at Privacy
Documents for FEMA | Homeland Security (dhs.gov).
3
See U.S. DEPARTMENT OF HOMELAND SECURITY, FEDERAL EMERGENCY MANAGEMENT AGENCY, PRIVACY IMPACT
ASSESSMENT FOR THE CUSTOMER SATISFACTION ANALYSIS SYSTEM (CSAS), DHS/FEMA/PIA-035 (2014),
available at Privacy Documents for FEMA | Homeland Security (dhs.gov).
1
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 3
validity of independent research and the outcomes related to underserved communities.4 The data
FEMA currently collects does not provide a complete representation of an individual’s
demographic characteristics and is insufficient to conduct a comparative analysis to ensure that
disaster assistance relief is provided in an equitable and impartial manner.
FEMA will collect demographic information from applicants who voluntarily provide it
during the Registration Intake (RI) process and create datasets incorporating Registration Intake
and customer satisfaction survey data to assess whether agency policies and actions create or
exacerbate barriers to full and equal participation by all eligible individuals. FEMA must analyze
demographic characteristics in combination with Registration Intake and survey data to determine
whether barriers to FEMA’s assistance programs are measurable and traceable to these
characteristics and if so, take steps to address and mitigate the barriers. For example, FEMA may
develop new forms of outreach, communication, and registration for assistance based on
identified trends related to race, gender, and socioeconomic status to better ensure maximum
registration rates.
Data Collection and Analysis
The Individual Assistance Division is updating the Individuals and Households Program
Registration Intake process to collect demographic information from disaster assistance
applicants who choose to provide it. After the applicant has answered all Registration Intake
questions, FEMA will ask additional questions for the purpose of equity analysis. The additional
questions will request the applicant’s race, ethnicity (e.g. Hispanic or Latino), gender, marital
status, highest level of education completed, and Tribal enrollment status. Each question will list
a “prefer not to answer” option.
The Individual Assistance Division will ask the new demographic questions solely for
equity analysis. No eligibility determinations will be made using the collected demographic
information. The Individual Assistance Division may combine the responses to the demographic
questions with any information it collects for purposes of disaster assistance registration intake
and appeals and customer satisfaction surveys. This includes, but is not limited to other
demographic information,5 responses to survey questions, and information submitted by or on
behalf of the disaster assistance applicant to measure damages and obtain FEMA assistance in a
declared emergency or disaster. Although FEMA may combine registration, appeal, and survey
information with demographic responses for equity analysis, FEMA will not use these datasets
Underserved communities “refers to populations sharing a particular characteristic, as well as geographic
communities, that have been systematically denied a full opportunity to participate in aspects of economic, social,
and civic life,” located at Executive Order on Advancing Racial Equity and Support for Underserved Communities
Through the Federal Government, Exec. Order No. 13985, 89 Fed. Reg. 7009 (Jan. 25, 2021),
https://www.federalregister.gov/documents/2021/01/25/2021-01753/advancing-racial-equity-and-support-forunderserved-communities-through-the-federal-government.
5
Demographic information could include (age, income, and disability).
4
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 4
or an individual’s answers compiled from the Individual Assistance demographic questions to
make disaster assistance eligibility determinations for that individual.
The registrant must respond to the Individual Assistance demographic questions to
complete the Registration Intake process; however, one of the responses to each question is
“prefer not to answer.” The Privacy Act Statement on the application forms serves as notice to
individuals that their decision to respond to any demographic question with “prefer not to answer”
will not prevent them from receiving assistance. FEMA will restrict access to the demographic
data using database and application controls, and FEMA staff will not have access to the
information without a specific “need to know.” Individuals have a “need to know” if they (1)
work within the Individual Assistance and Recovery Reporting and Analytics (RAD) Divisions,
(2) perform program equity analysis tasks in their official work responsibilities or (3) belong to
the software development team and are responsible for amending records in response to an
individual’s request. The use of role-based access within the Individual Assistance enterprise
application and the Individual Assistance enterprise database ensures the isolation of
demographic data. FEMA employees who process applications will not have access to the
isolated demographic information.
FEMA will create datasets utilizing various combinations of applicant demographic
characteristics along with registration intake and appeal records and customer service survey
records. FEMA will store demographic data along with individual Registration Intake applicant
data in separate tables in existing database systems, such as the Disaster Assistance Improvement
Plan (DAIP) application, Individual Assistance System (formerly NEMIS-IA), and Enterprise
Data Warehouse (EDW),6 to generate reports on the Individual Assistance Division’s efforts and
performance in ensuring equity and nondiscrimination in its programs, policies, procedures,
services, and activities that serve individuals. FEMA staff conducting equity analysis will create
datasets by querying the individual source systems via the Enterprise Data Warehouse and will
combine the data to be viewed on FEMA approved devices. FEMA will restrict access to the data
by using its role-based permissions, which is a mature and widely used mechanism in the
Individual Assistance and Enterprise Data Warehouse applications.
FEMA may share this information in an aggregate, anonymized format with internal
FEMA programs and publicly through OpenFEMA and FEMA External Affairs, Freedom of
Information Act (FOIA) requests, relevant DHS offices and components, and reports submitted
to the White House and Congress.
FEMA will use the combined datasets to better understand the relationship between
6
See U.S. DEPARTMENT OF HOMELAND SECURITY, FEDERAL EMERGENCY MANAGEMENT AGENCY, PRIVACY IMPACT
ASSESSMENT FOR THE OPERATIONAL DATA STORE AND ENTERPRISE DATA WAREHOUSE, DHS/FEMA/PIA-026
(2012), available at Privacy Documents for FEMA | Homeland Security (dhs.gov); see also forthcoming
DHS/FEMA Individuals and Households Program Equity Analysis Records System of Records.
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 5
demographics and Individuals and Households Program assistance outcomes, which will inform
program and policy analysis as well as help with operational decisions.
Based largely on equity analyses conducted by non-governmental organizations, FEMA
recently made a change to its policy regarding proof of ownership to account for a tradition of
generational inheritance (rather than written documentation) of home ownership particular to
households that shared cultural and racial backgrounds and were in certain areas of the United
States. However, to remain facially neutral and nondiscriminatory, these policy changes apply to
all registrants that need to show ownership to receive assistance. Although FEMA was able to
make these changes without conducting the equity analysis discussed in this Privacy Impact
Assessment, such an analysis might have assisted FEMA in recognizing the extent of this barrier
to assistance without relying on outside assessments.
Collecting this information during the registration process will enable FEMA to perform
its own equity analyses to better understand a wide variety of information including (1) whether
individuals access FEMA’s varying registration methods at different rates based on demographic
categories, (2) whether contact preferences, referral rates, and eligibility and award rates differ
based on demographic characteristics, and (3) whether any potential barriers exist in application
or assistance by demographic category. FEMA intends to use these data points both in day-today operational analysis and for long-term strategic analysis.
FEMA will conduct statistical analysis to examine the relationships between demographic
data and program outcomes. This will help gain insight about any potential disparities in disaster
assistance delivery. For example, FEMA will use statistical analysis to:
•
Determine differences between demographic groups and Individuals and Households
Program outcomes, which may include:
o Program referral rates
o Insured rates
o Eligibility rates
o Eligibility amounts
o Assistance denial reasons
o Appeals rates and/or types.
•
Explore appeal outcomes between different demographic groups. If certain demographic
groups have a higher rate of appeals, the stated reasons for appeals may help determine
why the differences exist.
•
Examine relationships between demographic data and registration damage self-
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 6
assessment questions, or the accuracy of the self-assessment and FEMA inspector damage
determinations when the two are compared. More inaccuracies associated with a
particular demographic group may indicate that the self-assessment or inspector’s
determination requires revision. For example, people who speak English as a second
language may struggle more with understanding how to evaluate their damage and
perhaps the instructions need modification.
•
Determine if any disparities in program outcomes result from specific policies,
procedures, guidelines, or employee/contractor behavior.
•
Assess the impact on small, vulnerable populations of proposed changes in policy, law,
regulations, and procedure by conducting statistical tests. For purposes of this Privacy
Impact Assessment, vulnerable populations and underserved communities are
interchangeable terms.
Such analysis may aid with future planning and identify deficiencies in FEMA’s current
processes that may need modification to be fairer and more equitable. The purpose of collecting
demographic data during registration is to gather data from a registrant during their FEMA
application process, which minimizes the number of engagements with a registrant. Additionally,
the purpose of tying the demographic data with data collected via the registration and survey
processes (including personally identifiable information) is to support a holistic analysis that
allows FEMA to determine impacts to applicants throughout all stages of interaction with the
Individuals and Households Program. In the performance of their registration casework, FEMA
caseworkers cannot see the demographic data in a registrant’s Individual Assistance file. The data
will reside in the database layer of the Individual Assistance System and not in the application
itself. Only a select few program equity analysts will have access to the demographic data,
potentially in combination with data from the application and directly from the database using
data analysis tools in the Enterprise Data Warehouse to run reports using demographic and other
data to assess equity.
Example Use Cases
Demographic data in the Individuals and Households Program will help improve
operational outcomes for vulnerable communities by:
•
Prioritizing the placement of Disaster Recovery Centers and Disaster Survivor Assistance
Teams in communities where vulnerable people are applying for assistance.
•
Comparing registration data to Census data in the community to identify areas where
vulnerable people live but are not applying for assistance to improve outreach and
messaging in those communities.
•
Prioritizing placement in Transitional Sheltering Assistance, Non-Congregate Sheltering,
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 7
or Direct Housing for vulnerable applicants and the development of resource plans to
provide additional support for vulnerable applicants.
•
Understanding whether cultural differences require different operational procedures in
current or future operations to best meet the needs of survivors of all demographic
categories.
•
Comparing demographic data to registration damage self-assessment questions to identify
correlations between demographics and the self-assessment during the registration
process, or the accuracy of the self-assessment and FEMA inspector damage
determinations when the two are compared.
Data Reporting and Information Sharing
FEMA may use information from publicly available sources such as the U.S. Census
Bureau, the U.S. Department of Justice, the Centers for Disease Control and Prevention, and the
U.S. Department of Housing and Urban Development to analyze, aggregate, and disaggregate
demographic characteristics to determine equitable and nondiscriminatory delivery of Individual
Assistance programs and services. FEMA may also use aggregate demographic data obtained
from publicly available sources including state websites, academic institutions, and potentially
consultant organizations. FEMA will not obtain personally identifiable information data from
external data sources. FEMA will only use commensurate, aggregate demographic data when
comparing the information to publicly available aggregate data sources.
Typical Transaction for the Collection, Use, and Sharing of Demographic Information
A typical transaction begins with the registration process. The survivor may complete a
self-paced internet or mobile registration or contact the FEMA registration call center to register
for disaster assistance with the help of a FEMA employee. At the end of the registration process,
the survivor receives a second Privacy Act Statement indicating that FEMA needs to collect
demographic information. The survivor must respond to the Individual Assistance demographic
questions to complete the Registration Intake process; however, one of the responses to each
question is “prefer not to answer.” The second Privacy Act Statement serves as notice to
individuals that responses to the demographic questions, including their decision to respond to
any demographic question with “prefer not to answer,” will not affect their eligibility
determination or prevent them from receiving assistance. The survivor answers all demographic
questions and then submits to complete the registration process.
FEMA will then house the demographic data within the Individual Assistance System and
will not make the data accessible using the normal application interface. Only select data
specialist staff and FEMA Office of the Chief Information Officer (CIO) database administrators
will have access to the data. FEMA assigns access to program analysis data specialists who will
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 8
perform equity analysis projects to ensure FEMA is meeting its regulatory requirements to
provide equitable disaster assistance. FEMA data specialists access the information using
elevated privilege user accounts specially designed to access demographic data. FEMA data
specialists must adhere to all FEMA data safeguarding guidelines in the performance of their
program analysis project duties. In addition, FEMA data specialists with access to demographics
data can also pull registration, eligibility (e.g., decisions, appeals), and customer survey data to
run reports with all needed data elements.
To create the datasets used for equity analysis, the FEMA data specialist will pull datasets
from the equity demographics records, registration intake records, and customer satisfaction
surveys from the source systems into the Enterprise Data Warehouse. FEMA will place records
pertaining to disaster assistance in inactive storage two years after receiving the application and
will destroy when the records are six years and three months old, in accordance with National
Archives and Records Administration (NARA) Authority N1-311-86-1, item 4C10a.
FEMA maintains the data in accordance with federal retention schedule requirements.
Further, FEMA will dispose of all data in accordance with FEMA cyber security and Records
Management guidelines.
Fair Information Practice Principles (FIPPs)
The Privacy Act of 19747 articulates concepts of how the federal government should treat
individuals and their information and imposes duties upon federal agencies regarding the
collection, use, dissemination, and maintenance of personally identifiable information. The
Homeland Security Act of 2002 Section 222(2) states that the Chief Privacy Officer shall assure
that information is handled in full compliance with the fair information practices as set out in the
Privacy Act of 1974.8
In response to this obligation, the DHS Privacy Office developed a set of Fair Information
Practice Principles (FIPPs) from the underlying concepts of the Privacy Act to encompass the full
breadth and diversity of the information and interactions of DHS.9 The Fair Information Practice
Principles account for the nature and purpose of the information being collected in relation to
DHS’s mission to preserve, protect, and secure.
DHS conducts Privacy Impact Assessments on both programs and information technology
systems, pursuant to the E-Government Act of 2002, Section 20810 and the Homeland Security
7
5 U.S.C. § 552a.
6 U.S.C. § 142(a)(2).
9
U.S. DEPARTMENT OF HOMELAND SECURITY, PRIVACY POLICY GUIDANCE MEMORANDUM 200801/PRIVACY POLICY DIRECTIVE 140-06, THE FAIR INFORMATION PRACTICE PRINCIPLES:
FRAMEWORK FOR PRIVACY POLICY AT THE DEPARTMENT OF HOMELAND SECURITY (2008),
available at https://www.dhs.gov/privacy-policy-guidance.
10
44 U.S.C. § 3501 note.
8
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 9
Act of 2002, Section 222.11 Given that FEMA Equity Analysis is a program rather than a particular
information technology system, this Privacy Impact Assessment examines the privacy impact of
FEMA Equity Analysis as it relates to the Fair Information Practice Principles.
1. Principle of Transparency
Principle: DHS should be transparent and provide notice to the individual regarding its
collection, use, dissemination, and maintenance of PII. Technologies or systems using PII must be
described in a SORN and PIA, as appropriate.
FEMA provides notice by way of this Privacy Impact Assessment, the Individuals and
Households Program Equity Demographic Records System of Records Notice (SORN), publicfacing content describing the program and methodology on FEMA.gov, and through Privacy Act
Statements at points of collection.
Also, FEMA provides notice by way of its publication of OMB 1660-NW133, IHP Equity
Demographic Records (FEMA Form FF-256-FY-21-100), which covers the collection of
Individuals and Households Program and Equity demographic questions and outlines FEMA’s
legal authority and tools/forms used to retrieve the information from individuals. The Individual
Assistance Division will collect the demographic information electronically in conjunction with
the Individual Assistance registration process, using FEMA Form FF 009-0-1 (OMB 1660-0002).
Demographic information will include a citation regarding its separate collection and disuse in
determining registrant eligibility, and Individual Assistance information systems will undergo an
update to incorporate the collection citation and updated Privacy Act Statement.
FEMA is also updating the Privacy Act Statements for forms in OMB 1660-0143, FEMA
IA Customer Satisfaction Surveys; 1660-0145, Programs Customer Satisfaction Surveys; 16600130, Long Term Recovery Survey Study; and 1601-0029, FEMA Customer Experience Survey, to
notify survey respondents that their responses may be linked to their original application and
demographic data for the purposes of equity analysis.
The Privacy Act Statement, which is provided prior to the collection of demographic
information, and this Privacy Impact Assessment, also inform individuals of their right to decline
the sharing of their personal information. FEMA staff read the Privacy Act Statement to Individual
Assistance registrants during Registration Intake if they call FEMA’s call center to register, or
applicants read and acknowledge the Privacy Act Statement during their registration online or
through the FEMA mobile application. The Privacy Act Statement will explicitly inform
individuals that FEMA may combine their registration information with demographic information
for equity analysis, and that FEMA will ask demographic questions prior to completing the
registration process.
11
6 U.S.C. § 142.
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 10
The paper registration, online registration, and FEMA mobile application are instruments
for the registration process collection. The paper registration is currently an instrument for the
general collection, under OMB 1660-0002, and will be an instrument, if included, for the
overarching collection. FEMA will add an Appendix to this Privacy Impact Assessment to
document any new or updated tools or OMB collections covered under this Privacy Impact
Assessment.
Privacy Risk: There is a risk that individuals who apply for Individual Assistance benefits
and who participate in FEMA surveys may not be aware of how their demographic information
may be used.
Mitigation: This risk is mitigated. FEMA mitigates this risk through the use of Privacy
Act Statements, the publication of this Privacy Impact Assessment and the corresponding
Individuals and Households Program Equity Demographic Records System of Records Notice,
and the pending updates to the existing Enterprise Customer Survey System and Individual
Assistance Privacy Impact Assessments. Additionally, Executive Order 13985, Advancing Racial
Equity and Support for Underserved Communities Through the Federal Government, explicitly
directs agencies like FEMA to assess equity with respect to race, ethnicity, religion, income,
geography, gender identity, sexual orientation, and disability. Further, FEMA has publicly
available webpages dedicated to it focus on equity and ensuring it throughout its mission (Equity
| FEMA.gov).
2. Principle of Individual Participation
Principle: DHS should involve the individual in the process of using PII. DHS should, to
the extent practical, seek individual consent for the collection, use, dissemination, and maintenance
of PII and should provide mechanisms for appropriate access, correction, and redress regarding
DHS’s use of PII.
Once the President declares a major disaster or emergency, or once a disaster is imminent,
FEMA collects personally identifiable information and other information from members of the
public to facilitate providing disaster assistance through the Registration Intake process. The
Disaster Assistance Improvement Plan application collects registration information directly from
the individual registrant when submitting their registration via internet (Home |
disasterassistance.gov), phone, mobile device, or call center. FEMA asks the following
demographic questions during the registration process after collecting the basic registration
information and before officially submitting the registration:
1. Are you Hispanic or Latino? (A person of Cuban, Mexican, Puerto Rican, South or Central
American, or other Spanish culture or origin, regardless of race)
□ Yes
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 11
□ No
□ Prefer Not to Answer
2. Please select the racial category or categories that you most closely identify with. Select as
many as apply.
□ American Indian or Alaska Native
□ Asian
□ Black or African American
□ Native Hawaiian and Other Pacific Islander
□ White
□ Prefer not to answer
3. Are you an enrolled member of a Tribal Nation?
□ Yes
□ No
□ Prefer not to answer
If so, which Tribal Nation are you a member of? _____
4. Is your gender…
□ Female
□ Male
□ Another Identify (e.g., Nonbinary or Gender Non-Conforming)
□ Prefer not to answer
5. Which of the following best describes your highest level of formal education?
□ Did not complete high school
□ High school graduate / GED
□ Some college
□ Associate degree
□ Bachelor’s degree
□ Master’s degree (or Graduate degree to include Master’s and professional)
□ Doctoral degree
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 12
□ Prefer not to answer
6. Is your marital status…
□ Never married
□ Married or living with partner
□ Separated
□ Widowed
□ Divorced
□ Prefer not to answer
Individuals seeking access to their records, or seeking to contest the content of their records, may
submit a request in writing to the below address or online at Request Records through the Freedom
of Information Act or Privacy Act | FEMA.gov.
FEMA FOIA Officer
Records Management Division
Federal Emergency Management Agency
U.S. Department of Homeland Security
500 C Street SW, Washington, D.C. 20472.
Individuals receive notification regarding procedures for correcting their demographic information
from this Privacy Impact Assessment as well as the corresponding IHP Equity Demographic
Records System of Records Notice. Furthermore, applicants to FEMA disaster assistance are
notified via DHS/FEMA/PIA-049 Individual Assistance, DHS/FEMA/PIA-035 Enterprise
Customer Survey System, and DHS/FEMA-008 Disaster Recovery Assistance Files System of
Records Notice12 regarding procedures for updating their disaster assistance registration and
customer satisfaction survey information.
Privacy Risk: There is a risk that individuals responding to demographic questions cannot
edit or correct the demographic information once provided to FEMA.
Mitigation: This risk is partially mitigated. The demographic questions are not visible or
editable, so the applicants and FEMA call center agents cannot see or update the responses on the
front end of Individual Assistance System. Individuals may request corrections to their information
by submitting a written request to the system manager.13 In such a case, the software developer
12
DHS/FEMA-008 Disaster Recovery Assistance Files, 87 Fed. Reg. 7852 (February 10, 2022).
The submission of requests to amend records is addressed in 44 C.F.R. § 6.50. It states that “[a]n individual who
desires to amend any record containing personal information about the individual should direct a written request to
the system manager specified in the pertinent Federal Register notice concerning FEMA’s systems of records …
13
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 13
would need to implement the change via script on the back end of the Individual Assistance System
as the end user cannot do so. FEMA does this to ensure additional protections and security to the
demographic information.
Privacy Risk: There is a risk that FEMA does not provide the choice to opt out of the
collection of demographic information by requiring individuals to provide responses to
demographic questions prior to submitting registration information to begin the process of
determining eligibility for disaster assistance.
Mitigation: This risk is mitigated. FEMA includes “prefer not to answer” as a response to
each demographic question. In addition, FEMA uses a Privacy Act Statement to clarify that
responses to the demographic questions, including their decision to respond to any demographic
question with “prefer not to answer,” will not affect their eligibility determination or prevent them
from receiving assistance.
3. Principle of Purpose Specification
Principle: DHS should specifically articulate the authority that permits the collection of PII
and specifically articulate the purpose or purposes for which the PII is intended to be used.
Legal Authorities
Section 308(a) of the Stafford Act states, “the President shall issue, and may alter and
amend, such regulations as may be necessary for the guidance of personnel carrying out Federal
assistance functions at the site of a major disaster or emergency. Such regulations shall include
provisions for ensuring that the distribution of supplies, the processing of applications, and other
relief and assistance activities shall be accomplished in an equitable and impartial manner, without
discrimination on the grounds of race, color, religion, nationality, sex, age, disability, English
proficiency, or economic status.” FEMA collects demographic information to ensure compliance
with Section 308(a) of the Stafford Act and obligations as outlined in the following authorities:
•
Section 408 of the Stafford Act, 42 U.S.C. § 5174, and the implementing regulations found
at 44 C.F.R. § 206.110 - 206.191.
•
Title VI of the Civil Rights Act of 1964, 42 U.S.C. § 2000d et seq., prohibits discrimination
on the grounds of race, color, or national origin by programs or activities receiving federal
financial assistance and authorizes the agency to enforce such provisions.
Each request should include evidence of and justification for the need to amend the pertinent record. Each request
should bear the legend “Privacy Act - Request to Amend Record” prominently marked on both the face of the
request letter and the envelope,” available at 44 C.F.R. § 6.50 - Submission of requests to amend records.
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 14
o 44 C.F.R. part 7, implementing title VI for FEMA-assisted programs. See
specifically § 7.10, which allows data collection to ascertain compliance.
•
Section 308 of the Stafford Act, 42 U.S.C. § 5151, which requires FEMA to distribute
supplies, process applications, and conduct other relief and assistance activities in an
equitable and impartial manner without discrimination on the grounds of race, color,
religion, nationality, sex, age, disability, English proficiency, or economic status.
o 44 C.F.R. § 206.11, implementing regulations for Stafford Act § 308.
•
Section 504 of the Rehabilitation Act of 1973, 29 U.S.C. § 794, prohibits discrimination
based on disability in federally conducted activity and activity receiving federal financial
assistance and authorizes the agency to enforce such provisions.
o Section 505 of the Rehabilitation Act of 1973, 29 U.S.C. § 794a(a)(2),
incorporating title VI remedies, procedures, and compliance for compliance.
o 44 C.F.R. part 16, implementing regulations for section 504 of the Rehabilitation
Act of 1973.
•
Age Discrimination Act of 1975, 42 U.S.C. § 6101 et seq., prohibits discrimination based
on age by programs and activities receiving federal financial assistance and authorizes the
agency to enforce such provisions.
o 44 C.F.R. §§ 7.910-7.949, implementing regulations for the Age Discrimination
Act of 1975.
•
Executive Order 13166, Improving Access to Services for Persons with Limited English
Proficiency, requires federal agencies and recipients of financial assistance to provide
meaningful access to their services for individuals with limited English proficiency.
•
Executive Order 13985, Advancing Racial Equity and Support for Underserved
Communities through the Federal Government, requires federal agencies to assess whether
agency policies and actions create or exacerbate barriers to full and equal participation by
all eligible individuals.
•
Executive Order 13995, Ensuring an Equitable Pandemic Response and Recovery requires
federal agencies to assess whether and ensure that their COVID-19 response efforts are
equitable and to strengthen enforcement of anti-discrimination requirements regarding
COVID-19 care and treatment. The COVID-19 Health Equity Task Force within the
Department of Health and Human Services was established to address the pandemic's
disproportionate and severe impact on people of color and other under-served populations.
Federal agencies are required to work with the task force to collect data to prepare longterm recommendations to reduce the health inequalities that COVID-19 causes or
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 15
exacerbates, including how state and municipal officials allocate equitable resources and
communicate with people of color and underserved communities.
•
Executive Order 13988, Preventing and Combating Discrimination on the Basis of Gender
Identity or Sexual Orientation directs federal agencies to review all policies which
implement the non-discrimination protections on the basis of sex under Title VII of the
Civil Rights Act of 1964 and to extend these protections to the categories of sexual
orientation and gender identity.
4. Principle of Data Minimization
Principle: DHS should only collect PII that is directly relevant and necessary to accomplish
the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified
purpose(s). PII should be disposed of in accordance with DHS records disposition schedules as
approved by the National Archives and Records Administration (NARA).
A working group of employees from across the Recovery Directorate, charged by the
Deputy Associate Administrator for Recovery with evaluating the equity in program delivery,
worked in conjunction with the Office of Equal Rights and program experts to determine which
questions would be helpful for FEMA to identify any concerns or bias in program delivery. The
race and ethnicity questions derive from Revisions to the Standards for the Classification of
Federal Data on Race and Ethnicity, OMB Directive 15,14 which sets the demographic data
collection standards for race and ethnicity. FEMA developed the questions pertaining to Tribal
enrollment, gender, education, and marital status in consultation with OMB and to align with
demographic collections in existing FEMA Individuals and Households Program surveys. Only
individuals within the Recovery Directorate’s Reporting and Analytics Division with approval to
access Individual Assistance data will have access to the demographic records for analysis
purposes on a day-to-day basis. The Recovery Directorate is intentionally limiting viewing or
access to the demographic data to ensure limited and appropriate use. Agency employees are
required to take mandatory data Privacy and Records Management training and adhere to all data
safeguarding rules. The analytical staff will only accessthe data required to conduct equity
analysis. The survey data collection will also employ the same previously approved questions to
help mirror processes already in place within the Agency.
FEMA will place records pertaining to disaster assistance in inactive storage two years
after receiving the application and will destroy them when the records are six years and three
months old, in accordance with NARA Authority N1-311-86-1, item 4C10a.
14
OFFICE OF MGMT. & BUDGET, EXEC. OFFICE OF THE PRESIDENT DIRECTIVE 15, REVISIONS TO
THE STANDARDS FOR THE CLASSIFICATION OF FEDERAL DATA ON RACE AND ETHNICITY (1997),
available at Revisions-to-the-Standards-for-the-Classification-of-Federal-Data-on-Race-and-Ethnicity-October301997.pdf (whitehouse.gov).
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 16
Privacy Risk: There is a risk that FEMA may maintain information collected longer than
necessary or authorized.
Mitigation: This risk is mitigated. FEMA, via the
Division (RTPD), mitigates this risk by conducting manual
applications (wherein information is archived and deleted,
schedule) pursuant to an audit schedule as enforced by each
Security Officer (ISSO).
Recovery Technology Programs
audits of all enterprise Recovery
pursuant to applicable retention
application’s Information System
Privacy Risk: There is a risk that FEMA’s collection of demographic information may
capture more information than necessary to assess its civil rights, nondiscrimination and equity
requirements, and obligations.
Mitigation: This risk is mitigated. The demographic questions added are all covered under
Stafford Act Section 308 and civil rights authorities for non-discrimination. After 2 years of data
collection, FEMA plans to analyze the extent to which data provides useful insights about program
outcomes. If FEMA determines that there are no programmatic outcome differences with any of
the 6 new questions, FEMA will file an amendment to the data collection to remove the
unnecessary questions from the form. For the initial collection, FEMA has determined this is the
least amount of data required to conduct equity analysis.
5. Principle of Use Limitation
Principle: DHS should use PII solely for the purpose(s) specified in the notice. Sharing PII
outside the Department should be for a purpose compatible with the purpose for which the PII was
collected.
The Individual Assistance Division will utilize this information to understand and enhance
civil rights and equity and ensure compliance with FEMA civil rights and equity requirements; to
ensure effectiveness of communication with the public; to identify and remove barriers to
application, qualification, and award of grants; to identify and remove barriers and enhance
programmatic accessibility and equity; and to determine whether the individuals and entities who
apply for, receive, or continue to receive federal disaster assistance and benefits are able to do so
in a nondiscriminatory and equitable manner. FEMA will analyze the demographics of applicants
and recipients of Individual Assistance to determine the agency’s achievement of intended
impacts. If the analysis reveals that a demographic category is not applying for or receiving FEMA
assistance, FEMA will assess for root cause and will develop and implement recommendations to
ensure accessibility and equity.
The project will use FEMA analytics applications and tools, such as the Enterprise Data
Warehouse, approved by the FEMA Office of the Chief Information Officer to search, query, or
analyze Individual Assistance registration and appeals and customer survey information based on
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 17
the demographic categories and protected characteristics pursuant to civil rights laws including the
Stafford Act. For example, FEMA will aggregate and compare the application of policies and
participation in programs to ensure that protected classes including, but not limited to, race, color,
religion, nationality, sex, age, disability, English proficiency, or economic status, are not
intentionally or unintentionally subjected to a pattern or practice that adversely impacts access to
or participation in Individual Assistance.
To mitigate privacy risks, FEMA will, to the extent practicable, only supply aggregate,
anonymized information when sharing inside or outside of DHS. Should the need to share raw
demographic data arise, FEMA will coordinate internally and receive approval from the DHS
Privacy Office before doing so, as outlined in more detail below.
The Individual Assistance Division may provide aggregate, anonymized information to
states to inform disaster recovery operational activities and additional support necessary to
augment federal efforts with state support. For example, the aggregate information may support
the location of FEMA/State Disaster Recovery Centers. Normal agency operations may involve
data sharing outside of DHS. Reports shared with the Department of Justice, the White House,
OMB, or Congress, regarding FEMA’s activities in enforcing nondiscriminatory regulations, may
include aggregate, anonymized demographic data. In addition, information shared with federal
agencies, such as the Department of Health and Human Services (HHS), may include aggregate,
anonymized demographic data.
The Individual Assistance Division also anticipates sharing aggregate, anonymized
demographic data to provide products (such as maps) to share with other federal agencies or states.
The purpose for this sharing will be to focus applicants on, direct and refer them to, and correspond
with them regarding all sources of disaster assistance.
The Individual Assistance Division will maintain a record of each disclosure including
date, nature, purpose, and the name and address of the individual or agency receiving the
disclosure. Additionally, the Individual Assistance Division requires information sharing
agreements with entities receiving a disclosure that includes personally identifiable information.
The Individual Assistance Division maintains and tracks these information sharing agreements and
keeps records of disclosures made pursuant to these agreements.
Privacy Risk: There is a risk that FEMA may use the information collected and maintained
for purposes other than the purpose(s) for its original collection.
Mitigation: This risk is mitigated. FEMA mitigates this risk by collecting information
authorized by federal statute, for the purpose of confirming compliance with FEMA civil rights
and equity requirements. Information sharing (in aggregate form only) with DHS components
outside of FEMA will occur only when necessary to ensure civil rights and equity compliance.
The associated IT systems will limit access to the raw demographic data to only the FEMA staff
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 18
who “need to know” to conduct the analyses. The Individual Assistance Division does not
generally share raw demographic data but in the rare event, such sharing may be required, the
Individual Assistance Division maintains an approval process via the Recovery Directorate’s
Reporting and Analytics Division to generate datasets used in data sharing. A dataset will not leave
the Recovery Directorate’s Reporting and Analytics Division without approval from authorized
data privacy and sharing staff. Approval requires coordination with FEMA-Privacy and Office of
the Chief Counsel Information Law Branch (OCC-ILB), and approval by the DHS Privacy Office.
Privacy Risk: There is a risk that DHS components may use shared demographic
information for purposes other than those outlined in the corresponding System of Records Notice.
Mitigation: This risk is mitigated. Consistent with DHS’s information sharing mission,
FEMA only shares information with other DHS components that have a need to know the
information to carry out their national security, law enforcement, immigration, intelligence, or
other homeland security functions. Generally, FEMA will only share aggregate, anonymized
information. FEMA will not share raw demographic data for purposes not related to equity.
FEMA-Privacy will maintain an accounting of any raw data that is shared.
Privacy Risk: There is a risk that external organizations may use demographic
information for purposes other than those outlined in the System of Records Notice.
Mitigation: This risk is mitigated. FEMA generally will only share equity analysis data as
aggregate datasets. In the rare circumstance in which FEMA may need or be required to share the
raw data, FEMA mitigates this risk by limiting external sharing of information for only those
purposes outlined in the System of Records Notice, unless otherwise required by federal statute.
As referenced above, the Individual Assistance Division requires information sharing agreements
with entities receiving a disclosure that includes personally identifiable information. The
Individual Assistance Division maintains and tracks these information sharing agreements and
keeps records of disclosures made pursuant to these agreements.
In the rare case that it is determined that raw demographic data must be shared externally
in accordance with the System of Records Notice, or as otherwise required by federal statute,
FEMA will coordinate internally with the FEMA-Privacy and Office of the Chief Counsel
Information Law Branch and receive approval from the DHS Privacy Office prior to sharing.
6. Principle of Data Quality and Integrity
Principle: DHS should, to the extent practical, ensure that PII is accurate, relevant, timely,
and complete, within the context of each use of the PII.
Individual Assistance demographic data will consist of self-reported information, and no
additional method for verification may be possible. FEMA does not attempt to correct or ascertain
demographic data from any other source than the individual applicant. FEMA may compare
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 19
general categories of information to aggregate Census data or aggregate geographic demographic
data provided by states or communities to confirm that demographic data collected by FEMA is
consistent with those sources. Problem statements predefine program analysis criteria, and all
equity analyses will focus on the demographic data, survey responses, and Registration Intake
information from a single disaster event. FEMA may look at impacts across all floods, for example.
In these cases, the Registration Intake and demographic data would be matched to the registrant in
the same event. Otherwise, the Registration Intake and demographic data are a 1:1 match to a
registrant in a single disaster event.
Privacy Risk: There is a risk that survivors may provide inaccurate demographic
information, which cannot be verified.
Mitigation: This risk is partially mitigated. The demographic questions are not visible or
editable, so the applicants and FEMA call center agents cannot see or update the responses in the
front end of Individual Assistance System. However, individuals may request corrections to their
information by submitting a written request to the system manager. In such a case, the software
developer would need to implement the change via script on the back end of the Individual
Assistance System as the end user cannot do so.
Privacy Risk: There is a risk that FEMA may make process and policy changes and
determinations based on inaccurate data.
Mitigation: This risk is mitigated. The risk is mitigated by ensuring that FEMA uses
statistically valid methods for analyzing and reporting on data to minimize the impact of a small
number of incorrectly reported data. FEMA may also compare self-reported data to Census
community variables to understand if there appears to be widespread reporting errors and will
consider future adjustments to the question language if it appears that questions may be confusing
to applicants.
7. Principle of Security
Principle: DHS should protect PII (in all forms) through appropriate security safeguards
against risks such as loss, unauthorized access or use, destruction, modification, or unintended or
inappropriate disclosure.
Only trained FEMA employees and contractors authorized by the Recovery Directorate
will conduct equity analysis and access demographic information. The systems that will collect,
store, and disseminate information include the Individual Assistance system, Disaster Assistance
Improvement Plan system, disasterassistance.gov, Operational Data Store (ODS) & Enterprise
Data Warehouse, and Individual Assistance Survivor Online Application & Resources Portal
(SOAR) - the application used by registrants to make inquiries by email. The Individual Assistance
System, Disaster Assistance Improvement Plan system, and Operational Data Store & Enterprise
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 20
Data Warehouse, will collect, store, maintain, and process the raw data. FEMA will utilize
SharePoint to develop, store, maintain, and process aggregate datasets. All systems have
completed their system security plans and undergone the assessment and accreditation process. In
addition, FEMA may also use established workforce utilities, such as SharePoint or shared drive
locations, to collect, store, and disseminate information.
8. Principle of Accountability and Auditing
Principle: DHS should be accountable for complying with these principles, providing
training to all employees and contractors who use PII, and should audit the actual use of PII to
demonstrate compliance with these principles and all applicable privacy protection requirements.
Recovery Directorate staff receive training on the secure collection of data to ensure the
proper handling of personally identifiable information and sensitive personally identifiable
information (SPII) data fields collected during registration. Recovery Directorate staff also
complete mandatory Individual Assistance and Individual Assistance System role-based, just-intime, and instructor-led training courses. Recovery Directorate staff are unable to obtain access to
the demographic data without completing the training classes required for their job position and
having a need to know. The Recovery Directorate currently maintains full-time staff who perform
Individual Assistance program analysis and view individual demographic data for program equity
analysis purposes; other Recovery Directorate staff will not have access to this data. The Individual
Assistance Division will perform audits including third-party internal audits to ensure the proper
use of information in accordance with stated practices in this Privacy Impact Assessment.
Documentation regarding program analysis methodologies will be on record and available for
audit purposes.
All FEMA employees and contractors must receive initial and annual standard privacy
training. Additionally, FEMA IT system users must take initial and annual security training to
ensure their understanding of the proper handling and securing of sensitive information.
The Individual Assistance Division will also develop their computer applications to restrict
access to demographic data. The demographic data will not be visible in the Individual Assistance
applications after its initial collection. The Recovery Directorate will update the standard operating
procedures in advance of the data collection start date to ensure only authorized staff will see
demographic data when required to perform their official work duties.
Conclusion
The Individuals and Households Program Equity Analysis project will collect and analyze
additional demographic information from FEMA applicants and compare that information to
registration intake, appeals, and customer survey records to ensure the equitable and impartial
distribution of supplies, processing of applications, and performance of other relief and assistance
Privacy Impact Assessment
DHS/FEMA/PIA-057 Individuals and Households Program
Equity Demographic Records
Page 21
activities. The DHS Privacy Office developed a set of Fair Information Practice Principles from
the underlying concepts of the Privacy Act of 1974 to encompass the full breadth and diversity of
DHS information and interactions. This Privacy Impact Assessment examines the privacy impact
of Individuals and Households Program Equity Demographic Records collection in relation to the
Fair Information Practice Principles. Further, this Privacy Impact Assessment also puts forth
mitigating strategies to offset any privacy risks resulting from the collection and analysis of
demographic data for the purpose of the Individuals and Households Program Equity Demographic
Records project.
Contact Official
Zachary Usher
Deputy Director
Individual Assistance Division
U.S. Department of Homeland Security
Zachary.usher@fema.dhs.gov
Responsible Officials
Melissa Forbes
Acting Associate Administrator
Office of Response and Recovery
Federal Emergency Management Agency
U.S. Department of Homeland Security
Tammi Hines
Senior Director for Information Management
Office of the Chief Administrative Officer
Federal Emergency Management Agency
U.S. Department of Homeland Security
FEMA-Privacy@fema.dhs.gov
Approval Signature
Original, signed copy on file with the DHS Privacy Office.
________________________________
Lynn Parker Dupree
Chief Privacy Officer
U.S. Department of Homeland Security
(202) 343-1717
File Type | application/pdf |
File Title | DHS/FEMA/PIA-057 Individuals and Households Program Equity Analysis |
Subject | PIA |
Author | FEMA |
File Modified | 2022-06-30 |
File Created | 2022-06-30 |