1. Purpose.
- This Order issues policies and procedures for identifying and addressing any privacy issues in General Services Administration (GSA) Information Technology (IT) systems. For purposes of this Order, a GSA IT system is an IT system owned or operated by GSA or by a contractor on behalf of GSA, and any IT application, or project containing Personally Identifiable Information (PII).
- This Order describes the compliance-driven tools to identify and mitigate privacy risks. They include Privacy Threshold Assessments (PTAs), Privacy Impact Assessments (PIAs), Privacy Act Statements, and System of Records Notices (SORNs). This Order also assigns responsibilities to ensure compliance with applicable laws and regulations governing privacy and GSA policies and procedures for conducting and maintaining PTAs, PIAs, Privacy Act Statements, and SORNs as part of an information system’s authorization to operate (ATO) package.
2. Background.
- The Privacy Act of 1974, 5 U.S.C. § 552a “establishes a code of fair information practices” that governs the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. GSA is required to protect PII in accordance with the Privacy Act. GSA shall identify and address potential privacy risks in all life cycle stages (e.g., initiating, developing/acquiring, operating/maintaining, disposing) of GSA IT systems. In addition, GSA shall identify and mitigate potential privacy risks when contractors handle PII on behalf of GSA.
- GSA performs a PTA as the means for analyzing whether a GSA IT system collects, maintains, or uses PII for identifying appropriate privacy protection measures. The PTA template is also used to identify other potential categories of Controlled Unclassified Information (CUI).
- GSA performs a PIA as a key tool to ensure that GSA IT systems appropriately protect the privacy of individuals in accordance with the E-Government Act of 2002, PL 107-347 § 208. GSA’s PIA process determines the risks and effects of collecting, maintaining, using, and/or disseminating PII, and it examines and evaluates protections and alternate processes for handling PII to mitigate potential privacy concerns at every life cycle stage (e.g., initiation, development/acquisition, implementation/assessment, operations and maintenance, disposal) in any GSA IT system (including those maintained by contractors). GSA PIAs must comply with OMB M-03-22.
- GSA uses Privacy Notices and Privacy Act Statements to ensure transparency about the information it is collecting. These notices ensure that GSA informs individuals about the proposed use of the information when asking to collect information and limits its collection of information to that which is legally authorized and necessary.
- GSA publishes SORNs as required by the Privacy Act of 1974, 5 U.S.C. § 552a. GSA SORNs must comply with OMB Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication Under the Privacy Act, dated December 23, 2016.
- GSA includes a system or application’s SORN, PIA and/or PTA as part of the authorization to operate (ATO) package, and the timing and conditions of review for those privacy documents are the same as the overall ATO package.
3. Applicability.
- This Order applies to all GSA employees and contractors. In accordance with GSA IT Security Procedural Guide 09-48, Security and Privacy Requirements for IT Acquisition Efforts, and General Services Acquisition Regulation (GSAR) part 511.171, Requirements for GSA Information Systems, Contracting Officers (COs) must include compliance with this policy in any contract or task order award.
- This Order applies to the Office of Inspector General (OIG) to the extent that the OIG determines that this Order is consistent with the OIG’s independent authority under the Inspector General (IG) Act (see applicable legal and regulatory requirements), and it does not conflict with other OIG policies or mission.
- This Order applies to the Civilian Board of Contract Appeals (CBCA) only to the extent that the CBCA determines that this Order is consistent with the CBCA’s independent authority under the Contract Disputes Act (see applicable legal and regulatory requirements), and it does not conflict with other CBCA policies or mission.
4. Cancellation.
This Order supersedes and cancels 1878.3 CIO CHGE 3 Developing and Maintaining Privacy Threshold Assessments, Privacy Impact Assessments, Privacy Act Notices, and System of Records Notices.
5. Explanation of Changes.
- Updated CPO responsibilities that have been delegated to Privacy Analysts; and
- Added supporting documentation, updated title, and other administrative changes.