(Public Law 107-347, of December 17, 2002; 116 STAT. 2899)


(a) PURPOSE.—The purpose of this section is to ensure sufficient protections for the privacy of personal information as agencies implement citizen-centered electronic Government.


    1. IN GENERAL.—An agency shall take actions described under subparagraph (B) before—
      1. developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form; or
      2. initiating a new collection of information that—
        1. will be collected, maintained, or disseminated using information technology; and
        2. includes any information in an identifiable form permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, 10 or more persons, other than agencies, instrumentalities, or employees of the Federal Government.
    2. AGENCY ACTIVITIES.—To the extent required under subparagraph (A), each agency shall—
      1. conduct a privacy impact assessment;
      2. ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and
      3. if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means.
    3. SENSITIVE INFORMATION.—Subparagraph (B)(iii) may be modified or waived for security reasons, or to protect classified, sensitive, or private information contained in an assessment.
    4. COPY TO DIRECTOR.—Agencies shall provide the Director with a copy of the privacy impact assessment for each system for which funding is requested.
    1. IN GENERAL.—The Director shall issue guidance to agencies specifying the required contents of a privacy impact assessment.
    2. GUIDANCE.—The guidance shall—
      1. ensure that a privacy impact assessment is commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information; and
      2. require that a privacy impact assessment address—
        1. what information is to be collected;
        2. why the information is being collected;
        3. the intended use of the agency of the information;
        4. with whom the information will be shared;
        5. what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared;
        6. how the information will be secured; and
        7. whether a system of records is being created under section 552a of title 5, United States Code, (commonly referred to as the ‘‘Privacy Act’’).
  3. (3) RESPONSIBILITIES OF THE DIRECTOR.—The Director shall—
    1. develop policies and guidelines for agencies on the conduct of privacy impact assessments;
    2. oversee the implementation of the privacy impact assessment process throughout the Government; and
    3. require agencies to conduct privacy impact assessments of existing information systems or ongoing collections of information that is in an identifiable form as the Director determines appropriate.