Privacy Control Requirements
FRTIB has implemented NIST SP 800-53, Rev. 4 to ensure compliance with applicable statutory, regulatory, and policy requirements with respect to information security. FRTIB also adheres to Section 208 of the E-Government Act of 2002, which requires agencies to conduct privacy impact assessments (PIA) for electronic systems and collections. The Privacy Division conducts an initial analysis, known as a privacy threshold analysis (PTA) of each of FRTIB’s electronic systems to determine whether a PIA is required. Finally, FRTIB ensures compliance with the Privacy Act by publishing System of Records Notices (SORN) in the Federal Register.
FRTIB’s Privacy Division is in the process of implementing the privacy controls in NIST SP-800-53, Rev. 4. The Privacy Division has designated each control as program management, common, information system-specific, or hybrid. Common controls are controls that are inherited by multiple information systems. Information system-specific controls are controls that are implemented for a particular information system or the portion of a hybrid control that is implemented for a particular information system. Hybrid controls are controls that are implemented for an information system in part as a common control and in part as an information system-specific control. The determination as to whether a privacy control is a common, information system-specific, or hybrid control is based on context. The Privacy Division has implemented and assessed the common controls. The Agency is implementing and assessing system-specific controls on a rolling basis as systems are authorized or reauthorized.
A PTA is a questionnaire used to determine if a system contains PII, whether a PIA is required, whether a SORN is required, and if any other privacy requirements apply to the information system. A PTA is completed when procuring a new information technology system, or when developing or significantly modifying an information system. While a PTA is not a legally-required document, FRTIB’s Privacy Division uses the document to determine whether legally-mandated documents are required for each of FRTIB’s information systems.
A PIA is legally required by Section 208 of the E-Government Act of 2002 and analyzes how information in an identifiable form is collected, maintained, stored, and disseminated. The PIA analyzes the privacy risks as well as any protections and processes in place for handling information to mitigate the privacy risks. PIAs are conducted when:
- Developing or procuring information systems or projects that collect, maintain, or disseminate information in identifiable form, from or about, members of the public; or
- Initiating a new electronic collection of information in identifiable form from 10 or more persons (excluding agencies, instrumentalities or employees of the federal government).
FRTIB has incorporated the FIPPS into its PIAs. FRTIB’s PIAs describe: (1) the legal authority that permits the collection of information; (2) the specific type of information used by the system; (3) how and why the system uses the information; (4) whether the system provides notice to individuals that their information is used by the system; (5) the length of time the system retains information; (6) whether and with whom the system disseminates information; (7) procedures individuals may use to access or amend information used by the system; and (8) physical, technical, and administrative safeguards applied to the system to secure the information.
Pursuant to FRTIB’s PTA/PIA Procedures, if the CPO determines a PIA is required, the Business Owner and Information System Security Officer (ISSO) complete the PIA. An attorney in the Privacy Division then reviews the PIA to ensure it is accurate and complete and analyzes whether privacy risks are mitigated to an acceptable level. Once complete, the CPO signs the document.
FRTIB ensures contractors and third parties that: (1) create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII on behalf of the Agency; or (2) operate or use information systems on behalf of the Agency comply with the mandated privacy requirements. FRTIB’s Privacy Division coordinates with FRTIB’s Contracting Division to ensure that the applicable privacy clauses are included in the terms and conditions in contracts and other agreements involving the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of FRTIB information.
FRTIB adheres to Privacy Act requirements for publishing system of records notices (SORN) in the Federal Register. A system of records is a group of any records under the control of any agency from which information is retrieved by a unique identifier, including but not limited to an individual’s name, Social Security number, symbol, or other identifier assigned to the individual.
The Privacy Act incorporates the FIPPs into SORNs. SORNs: (1) inform TSP participants and beneficiaries about the kinds of personal information agencies maintain; (2) state the legal authority under which the agency collects and maintains individuals’ information; (3) describe the purpose for which the agency may use the information; (4) describe the categories of information contained in the system of records; (5) describe the physical, administrative, and technical safeguards used to secure the information; (6) describe how an individual may request access to or amend their information; and (7) describe with whom the agency may share information contained within the system of records without obtaining prior consent of the data subject.
FRTIB works with business owners in each of FRTIB’s Offices to ensure that a Privacy Act statement is provided or otherwise made available when the Agency collects PII. FRTIB’s Privacy Act Statements have incorporated key aspects of the FIPPs and provide individuals with the:
- Agency’s legal authority to collect the information, such as statute, executive order, and/or regulation;
- Purpose for collecting the information and how it will be used;
- Routine uses of the information, which describes to whom FRTIB may disclose information and for what purpose; and
- Whether providing the information is mandatory or voluntary, along with the effects if any, on the individual for not providing all or any part of the information requested.
FRTIB has promulgated regulations which implement the requirements contained in the Privacy Act of 1974. The regulations, which are located at 5 C.F.R. Part 1630, apply to all records maintained by FRTIB that contain identifiable information about individuals and which are included as part of a system of records. FRTIB’s regulations establish procedures that enable individuals to access records maintained about them; provide detailed procedures for how to amend inaccurate information; and limit individuals who may access such information. Additionally FRTIB’s regulations also make clear that a participant’s TSP account number shall be the primary means of identifying a participant’s account, thus reducing reliance on Social Security numbers.