GSA Privacy Act Program

1.  Purpose.

This policy incorporates by reference the GSA Privacy Act Program Website as the official employee reference vehicle for GSA’s privacy program, policy and procedures. The GSA Privacy Act Program addresses information privacy and security issues, establishes GSA’s privacy policies and procedures, provides guidance and direction on implementing program requirements, defines privacy related contracting requirements, and assigns responsibilities to ensure compliance with the Privacy Act of 1974, as amended, and other applicable laws and regulations.

2.  Cancellation.

This Order cancels and supersedes CIO P 1878.1 GSA Privacy Act Program, dated September 2, 2014.

3.  Revisions.

     a.  Directive number changed to a new series of classification numbers for “Privacy Act and Personally Identifiable Information (PII)” related policies;

     b.  Outdated links updated;

     c.  Responsibilities section added; and

     d.  Updated references and the definition of PII.

4.  Policy.

In accordance with the Privacy Act of 1974, privacy protection is both a personal and fundamental right of any individual, whose personally identifiable information (e.g., social security number, date of birth, home address or personal email address) is collected, maintained, and used by GSA to carry out the agency mission and responsibilities and to provide services. OMB Circular A-130 defines Personally Identifiable Information (PII) as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. GSA’s policy is to safeguard personal information as mandated by laws and regulations. The GSA Privacy Act Program promulgates GSA policy for ensuring compliance with legal requirements to protect PII.  

5.  Responsibilities.

• Senior Agency Official for Privacy (SAOP). As directed in OMB Memo M-16-24 and OMB Circular A-130, the GSA Privacy Act Program shall be led by the SAOP who is responsible for ensuring compliance with applicable privacy requirements, developing and evaluating privacy policy, and managing privacy risks consistent with the agency’s mission.

• The GSA Data Integrity Board. Headed by the SAOP, this board oversees organizational Computer Matching Agreements and ensures that any such agreements GSA may enter into are published on a public GSA website.

• Chief Privacy Officer. Oversees GSA’s Privacy Program with the mission to preserve and enhance privacy protections for all individuals whose personal information is handled by GSA; encourage transparency of GSA operations involving PII; and support privacy-enabling technology services. The Chief Privacy Officer also ensures that privacy risks are mitigated in a timely fashion and in accordance with the requirements in GSA CIO 9297 Information Breach Notification Policy, conducts continuous privacy monitoring of GSA systems, and leads the agency response team for PII breaches. 

• Privacy Office. Under direction of the Chief Privacy Officer, GSA Privacy Office employees are responsible for managing the Privacy Program and ensuring compliance with all Privacy Act-related policies.

• Controlled Unclassified Information Program Manager (CUI PM). Under direction of the Chief Privacy Officer and the CUI Senior Agency Official, the CUI PM is responsible for implementing the CUI program throughout GSA and ensuring compliance with the policies and procedures set forth by 32 CFR 2002 and the CUI Executive Agent.

 6.  Applicability.

The GSA Privacy Act Program applies to:

• All GSA Services and Staff Offices and Regional Components;

• All GSA employees who manage, acquire, maintain, disseminate, or use any individual’s personal information protected by the Privacy Act of 1974;

• Any GSA Contractors, subcontractors, individual corporations, and other organizations that process or handle GSA-controlled information; and

• The Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIG’s independent authority under the Inspector General Act and it does not conflict with other OIG policies or the OIG mission; and

• The Civilian Board of Contract Appeals (CBCA) only to the extent that the CBCA determines it is consistent with the CBCA’s independent authority under the Contract Disputes Act and it does not conflict with other CBCA policies or the CBCA mission.

7.  Explanation of Format.

The GSA Privacy Act Program is web-based to facilitate information access through technology and to allow for updating critical changes in a timely manner. The web site is located on GSA.gov at https://www.gsa.gov/reference/gsa-privacy-program.