The U.S. Census Bureau has consolidated its data confidentiality, data access, and privacy activities into a Data Stewardship Program, ensuring a focused and sustained level of effort toward data stewardship issues. The mission of the program is to assure that the Census Bureau can effectively collect and use data, while meeting its legal and ethical obligations, especially to respondents. These obligations include fully meeting the legal, ethical, and reporting requirements levied by the Census Act, the Privacy Act, the E-Government Act and other applicable statutes, including those of governmental and other suppliers of data to the Census Bureau. Included are professional ethical responsibilities, such as those articulated in the National Academy of Sciences’ report Private Lives and Public Policies (1993). The Census Bureau honors its commitment to the highest standards through this Data Stewardship Program.
At the core of the program is the Data Stewardship Executive Policy Committee (DSEP), the Census Bureau executive staff focal point for decision-making and communication on privacy, security, confidentiality and administrative records policy issues. The DSEP has adopted a set of Privacy Principles, based in part on privacy guidelines issued by the Organization for Economic Cooperation and Development in 1980, the Principles for Providing and Using Personal Information ("Privacy Principles"), published by the Information Infrastructure Task Force in 1995, and the fair information principles of the Privacy Act. These principles, which are aligned with our mission, guide us in achieving our goals and objectives. Along with the privacy principles, the DSEP put in place new policies (available upon request) that strengthen our cultural commitment to data stewardship.
The Privacy Impact Assessment (PIA) is one tool for implementing and creating awareness of data stewardship policies. Privacy Impact Assessments are required by the E-Government Act of 2002 whenever "developing or procuring information technology . . . or initiating a new collection of information . . . in an identifiable form . . . ." They also are required by Office of Management and Budget (OMB) Circular No. A-11 and OMB Exhibit 300, "Capital Asset Plan and Business Case," which tie together privacy considerations, executive agency funding requests, and Enterprise Architecture (EA) requirements. PIAs also link project and system risk assessments to ensure the provision of adequate security, as defined by OMB Circular A-130. Finally, PIAs link Privacy Act and Paperwork Reduction Act requirements through identification of System of Record Notices (SORNs) and Information Clearance Collection Request (ICRs).
The purpose of PIAs is to ensure no collection, storage, access, use, or dissemination of identifiable respondent information (businesses and individuals) that is not needed or permitted. According to OMB, "PIAs are structured reviews of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to identify and evaluate protections and alternative processes for handling information to mitigate potential privacy risks."
Despite the use of the term "privacy," PIAs typically cover privacy, confidentiality, integrity, and availability issues, which the Census Bureau equates with "data stewardship." Therefore, the Census Bureau refers to these evaluations as Data Stewardship/Privacy Impact Assessments (DS/PIAs).
DS/PIAs facilitate data stewardship, management, awareness, and compliance efforts. At the Census Bureau, DS/PIAs are also a project management tool, allowing program and project managers to integrate data stewardship considerations into the planning and design phases of work. The detail level assessment is based on specific data stewardship policies. This approach has the advantage of early detection and avoidance of certain sensitivities altogether or of identifying risk mitigation activities that may need to be incorporated into a funding request or change management process.
A full DS/PIA is conducted on programs whether they contained Personally Identifiable Information (PII), Identifiable Business Information (IBI), or both. Identifiable information is defined as information that directly identifies people or businesses. Examples include direct references such as name, address, social security number, employer identification number, financial information, or other identifying number or code such as telephone number, email address. It also includes any information used separately or in combination to reference other data elements that are used for identification such as gender, race, birth data, or geographic indicator. These two types of identifiers (PII and IBI) allow identification of specific individuals or businesses, as defined in the glossary.
A complete assessment ensures alignment with Census Bureau data stewardship strategies, goals, principles and policies. The guidance from OMB directs that PIAs cover the following items:
The Census Bureau DS/PIA addresses the OMB questions in 3 groups, two related to projects and one related to supporting systems:
The review makes use of a structured tool--a series of questions that determine whether the planned system or activity is consistent with our organization’s privacy principles, procedures, and controls. The tool is used by program and project managers throughout the lifecycle of the project; beginning as part of the initial decision making process when initiating and designing projects involving the collection or use of identifiable data and the dissemination of protected products by disclosure avoidance techniques. Staff familiar with the privacy principles, policies and the DS/PIA tool, assist program managers in completing the DS/PIA through face-to-face meetings, thereby ensuring consistency and understanding.
The Census Bureau’s DS/PIA exists in Microsoft Excel as a complete workbook. The workbook is broken into the following sections, which are provided as separate "sheets."
provides an overview of the Census Bureau’s DS/PIA process, tool, and the relationship to the Census Bureau’s overall Data Stewardship Program.
provides an overview of the PIA tool and a glossary of frequently used terms.
The DS/PIA Instrument poses a set of questions to program managers and is used to develop the DS/PIA "score." The questions are grouped by Privacy Principle. The associated Privacy Principle is identified in the first column of the sheet. The questions are also grouped into Data and Activity "Sensitivities."
|DR||Data Risk Assessment|
|DRM||Data Risk Mitigation|
|AR||Activity Risk Assessment|
|ARM||Activity Risk Mitigation|
These sensitivities are identified in the second column of the spreadsheet throughout Sheet 4, Assessment.
Risk assessments represent elements of the program that introduce privacy-associated risks. Mitigation activities represent adherence to and application of policy requirements that negate the risks associated with a particular element. This assessment gives the manager opportunity to consider what the most appropriate activities are and ensure all policy requirements are met. See 6.4.3 Subsection 2 Net Scoring and 6.6 Risk Assessment for more information.
Documents a clear link to OMB Exhibit 300 or IT Business Plan, and any applicable Paperwork Reduction Act (PRA) Information Collection Request (ICR). Identifies program contact information and the associated IT Security Plan(s).
18.104.22.168 Privacy Principle 1 Mission Necessity Questions Covers:
(Sensitive topics are defined as: abortion; alcohol, drug, or other addictive products; illegal conduct; illegal immigration status; information damaging to financial standing, employability, or reputation; information leading to social stigmatization or discrimination; politics; psychological well-being or mental health; religion; same-sex partners; sexual behavior; sexual orientation; taxes; and other information due to specific cultural or other factors.
22.214.171.124 Privacy Principle 2 Openness Questions Covers:
126.96.36.199 Privacy Principle 3 Respectful Treatment of Respondents Questions Covers:
188.8.131.52 Privacy Principle 4 Confidentiality Questions Covers internal controls related to:
The DS/PIA uses responses to the series of questions in Sheet 4, Assessment, to measure sensitivity and mitigation and calculate a net rating of low, medium, or high for the "data" and "activity" aspects of a project. These two "net" scores make up the Project Score. The last score, System Score, is obtained from the security review and certification described on Sheet 5, IT System Security Evaluation.
Documents the review and approval of the assessment by the Census Bureau program unit Associate Director, Chief Information Officer, and Chief Privacy Officer.
This narrative describes the specific mitigations in place for the particular IT systems supporting a program. It also describes the Census Bureau’s IT security review and certification process, which is undertaken for a computer system. The DS/PIA uses results from this process for the System Score, as identified in 6.4.3 Subsection 3 - Net
An ordinal rating is used to assess the risk level of DS/PIAs. There are two sensitivity matrix sheets, Data Sensitivity, and Activity Sensitivity. The Data Sensitivity Matrix Sheet relates to the data questions on Sheet 4, Assessment. The Activity Sensitivity Matrix sheet relates to activities questions on Sheet 4, Assessment.
There are several scores provided on each matrix. The first is the Total Unmitigated risk level. This represents the risk level prior to or without consideration of the mitigation activities undertaken for the program. The second score is the Net Sensitivity score that represents the risk level after applying the mitigation strategies. It is this "Net" score that is recorded on Sheet 4, Assessment, Subsection 3 Net Scoring. These "Net" scores are calculated by determining the difference between the total sensitivity scores and the total mitigation scores. The rating break points are: <4 = LOW, 4-11 = MEDIUM, >11=HIGH.
Each matrix is separated into topic areas. Each of these topic areas is given a score once mitigation scores are applied. This is used as a general gauge to determine where additional risk mitigation strategies might be best applied or considered.
Project sensitivity may vary, however appropriate mitigation activities keep all projects protected. The goal is to mitigate projects from high or medium to the medium or low levels. Most of the mitigation questions ask about the applicability of and conformance to statute, regulation, or policy. The Census Bureau’s suite of data stewardship policies covers most of the data, activity, and systems sensitivity areas. In a few cases, policies are under development. Therefore, the tool asks about additional activities that a program area may voluntarily undertake to reduce or mitigate sensitivity or risk. The effect of this is recorded on Sheet 7, Activity Sensitivity, as a final revised score if applicable.
In addition, because the scoring system used to identify the adequacy of mitigation activities to sensitivities focuses on net, or mitigated results, it is possible that some variation across programs may be masked. To address that concern, the unmitigated risk score is provided on the Data and Activity Sensitivity sheets.
This sheet categorizes the "data" related questions asked on Sheet 4, Assessment, into either "sensitivities" or "mitigations." These are identified as "DR" for Data Risk Assessment and "DRM" for Data Risk Mitigation throughout Sheet 4. For example, asking about a sensitive topic introduces "sensitivities" to the project. Ensuring adherences to the Respondent Identification Policy, which addresses within household confidentiality, is a mitigation activity. A score is associated with each question to "net" a rating by topic of low, medium, or high for each topical area.
This sheet is organized in the same manner as the Data Sensitivity Sheet. It covers activity-related question topics, such as those related to use of Special Sworn Status or use of off-site facilities. These questions are identified as "AR" for Activity Risk Assessment and "ARM" for Activity Risk Mitigation throughout Sheet 4, Assessment.