Overview of FRTIB Privacy Program

FRTIB’s program is led by FRTIB’s Senior Agency Official for Privacy (SAOP), and is run by the Privacy Division within FRTIB’s Office of General Counsel (OGC). The mission of the Privacy Division is to preserve and enhance privacy protections for all individuals who entrust their personal information to the FRTIB by embedding and enforcing privacy protections throughout all of FRTIB’s activities. The Privacy Division implements requirements in the Privacy Act of 1974, as amended; the E-Government Act of 2002; and the Federal Information Security Modernization Act (FISMA), as well as policy directives and best practices issued in furtherance of those Acts.

The Privacy Division adheres to the policy framework embodied in the Fair Information Practice Principle (FIPPs) to ensure that individual privacy is protected throughout the collection, maintenance, use, and dissemination of all personally identifiable information (PII) maintained by the FRTIB. The FIPPs consist of the following five core principles: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. The Privacy Division carries out the following core functions:

• Develops and administers FRTIB’s privacy policies and procedures;
• Provides privacy awareness training and targeted privacy trainings to FRTIB personnel;
• Assesses all new or proposed programs, systems, technologies, and business processes for privacy risks and provides recommendations to strengthen privacy protections;
• Collaborates with FRTIB’s Information Technology Security Management Division (ITSMD) to implement and operationalize policies to secure the confidentiality, integrity, and availability of FRTIB’s information and information systems;
• Operates a data breach response program to ensure that all incidents involving personally identifiable information (PII) are properly reported, investigated, and mitigated, as appropriate; and
• Maintains updated privacy artifacts in compliance with legal requirements (e.g., System of Records Notices, Privacy Impact Assessments, and Privacy Act Notices).

FRTIB Privacy Office Organization

Pursuant to the Federal Employees’ Retirement System Act of 1986 (FERSA), FRTIB is required to administer the Thrift Savings Plan (TSP) prudently, solely in the interest of TSP participants and their beneficiaries, and for the exclusive purpose of providing benefits to participants and their beneficiaries. FRTIB’s Privacy Program is housed within the Office of General Counsel (OGC). The Privacy Division within OGC develops and executes strategies to ensure that privacy is protected for all employees who entrust their personal information to the FRTIB, including (1) TSP participants and beneficiaries; and (2) FRTIB employees and contractors, while promoting the integrity and usability of FRTIB’s data—one of FRTIB’s most valuable strategic assets. The Privacy Division is led by FRTIB’s General Counsel, who has also been formally designated as FRTIB’s Senior Agency Official for Privacy (SAOP) pursuant to OMB Memorandum 16-24, Role and Designation of Senior Agency Officials for Privacy.

The SAOP is FRTIB’s key policy advisor on implementing the Privacy Act of 1974; the privacy provisions of the Federal Information Security Modernization Act (FISMA); the privacy provisions contained in the E-Government Act of 2002; Office of Management and Budget (OMB) requirements; and National Institute of Standards and Technology (NIST) guidance. In accordance with OMB Circular A-130, Managing Information as a Strategic Resource, the SAOP is responsible for:

• Serving as FRTIB’s senior policy authority on matters relating to the public disclosure of information, advising on privacy issues related to informed consent, disclosure risks, and data sharing;
• Developing and overseeing implementation of Agency-wide policies and procedures relating to the Privacy Act, and assuring that personal information contained in Privacy Act systems of records is handled in compliance with its provisions;
• Communicating FRTIB’s privacy vision, principles, and policies internally and externally;
• Advocating strategies for data and information collection and dissemination, to ensure FRTIB’s privacy policies and principles are reflected in all operations;
• Managing privacy risks associated with FRTIB activities that involve the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems.
• Ensuring that FRTIB employees have the appropriate training and education concerning privacy laws, regulations, policies, and procedures;
• Working with FRTIB stakeholders to ensure the vendors with access to PII that engage in business with FRTIB abide by federal privacy requirements;
• Overseeing FRTIB’s process for reviewing and approving Privacy Impact Assessments (PIA) to ensure compliance with the E-Government Act;
• Coordinating with FRTIB’s Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) to ensure that the FISMA authorization and accreditation (A&A) process for new and existing systems appropriately addresses privacy-related risks;
• Partnering with the CTO and CISO to ensure all aspects of FRTIB’s privacy program are incorporated into FRTIB’s enterprise infrastructure, information technology (IT), and IT security program.

In accordance with OMB Memorandum 16-24, FRTIB’s SAOP has delegated the daily operations of FRTIB’s privacy program to a senior attorney within OGC, who functions as FRTIB’s Chief Privacy Officer. With the oversight of FRTIB’s SAOP, the CPO handles all of the substantive components of FRTIB’s Privacy Division. Additionally, FRTIB’s Privacy Division is staffed by a team of attorneys who have no non-privacy duties.

Strategic Goals and Objectives for Privacy

Goal 1

Maintain compliance with federal privacy laws, regulations, and best practices.

The Privacy Division serves two primary functions with respect to compliance. First, the Privacy Division represents the interest of TSP participants and beneficiaries in compliance with federal privacy laws, regulations, and best practices. Second, the attorneys in the Privacy Division provide legal advice to the Executive Director, Board Members, and staff of the FRTIB. Adhering to privacy laws and implementing best practices is critical to the success of both the Privacy Division as well as the Agency.

• Objective 1.1 – Increase accountability and transparency by enhancing FRTIB’s foundational privacy documents to comply with the Privacy Act, the E-Government Act of 2002, OMB requirements, and best practices. These documents include FRTIB’s SORNs, PTAs, and PIAs.
• Objective 1.2 – Provide sound and consistent legal advice to FRTIB’s client offices concerning the interpretation and application of federal privacy laws, regulations, and other best practices.
• Objective 1.3 – Review, assess, and advise business owners throughout FRTIB about FRTIB programs, projects, information sharing arrangements, systems, and other initiatives to comply with the Fair Information Practice Principles (FIPPs). This includes limiting the collection, maintenance, use, and dissemination of PII whenever possible.
• Objective 1.4 – Ensure that privacy-related complaints and incidents at FRTIB are reported systematically, efficiently processed, and appropriately mitigated in accordance with legal requirements and FRTIB policies and procedures.

Goal 2

Foster a culture of privacy and demonstrate leadership through policy and strategic partnership

The Privacy Division’s core mission is to preserve and enhance privacy protections for all individuals who entrust their personal information to the Agency, and fostering a culture of privacy at the Agency is a necessary component for achieving this mission. In accordance with the FIPPs, FRTIB is authorized to only collect information necessary to carry out its mission and must use that information in accordance with the stated purpose for which it was originally collected. FRTIB is also authorized to collect, maintain, use, and disseminate personal information from TSP participants, beneficiaries, and individuals who work and seek to work for the Agency.

• Objective 2.1 — Provide guidance and issue policies related to privacy by partnering with leaders in each of FRTIB’s Offices to embed and enhance privacy protections throughout the life cycle of FRTIB initiatives, programs, projects, and systems.
• Objective 2.2 – Leverage the expertise of the Federal Privacy Council, as well as experts from professional privacy associations, to foster dialogue and learn about emerging issues.

Goal 3

Provide outreach, training, and education to promote and enhance privacy Agency wide

FRTIB’s Privacy Division ensures that all FRTIB personnel have a baseline understanding of federal privacy requirements by providing training for new hires and annually thereafter. FRTIB’s Privacy Division also develops and provides targeted, role-based training to employees with specialized roles on a periodic basis.

• Objective 3.1 – Ensure consistent application of privacy requirements across the Agency.
• Objective 3.2 – Develop and deliver targeted, role-based training for employees with specialized roles and other key stakeholders across the Agency.
• Objective 3.3 – Educate FRTIB personnel about the importance of adhering to the FIPPs and partner with key stakeholders to embed the FIPPs into FRTIB’s business practices.

Goal 4

Develop and maintain top privacy professionals in the federal government

FRTIB’s Privacy Division has grown considerably over the past few years and continues to mature. Attracting and retaining specialized talent is critical to the Privacy Division’s continued success. Providing support, opportunities for professional growth and development, and maintaining a workplace environment in which they are valued are all crucial to recruiting and maintaining a high-performing workforce.

• Objective 4.1 – Support employee development and emphasize the importance of training and professional development in performance planning, including increasing the number of individuals with privacy certifications through a nationally recognized association each year.
• Objective 4.2 – Reward exceptional employee performance and recognize individual contributions that enhance the Privacy Division’s mission.