Doc:M-09-29 Attachment SAOP Questions
Annual FISMA Reporting Senior Agency Official for Privacy (SAOP) Questions
Question 1: Information Security Systems
Identify the number of agency and contractors systems that contain Federal information in identifiable form. Identify the number of agency and contractor systems for which a Privacy Impact Assessment (PIA) is required under the E-Gov Act and identify the number of agency and contractor systems covered by an existing PIA. Please identify the number of systems for which a system of records notice (SORN) is required under the Privacy Act and identify the number of systems for which a current SORN has been published in the Federal Register.
Question 2: Links to PIAs and SORNS
Provide the URL of the centrally located page on the agency web site listing working links to agency PIAs.
Provide the URL of the centrally located page on the agency web site listing working links to the published SORNs.
Question 3: Senior Agency Official for Privacy (SAOP) Responsibilities
Can your agency demonstrate through documentation that the privacy official participates in all agency information privacy compliance activities (i.e., privacy policy as well as IT information policy)? Yes or No.
Can your agency demonstrate through documentation that the privacy official participates in evaluating the ramifications for privacy of legislative, regulatory and other policy proposals, as well as testimony and comments under Circular A-19? Yes or No.
Can your agency demonstrate through documentation that the privacy official participates in assessing the impact of technology on the privacy of personal information? Yes or No.
Question 4: Information Privacy Training and Awareness
Does your agency have a policy in place to ensure that all personnel (employees, contractors, etc.) with access to Federal data are generally familiar with information privacy laws, regulations and policies, and understand the ramifications of inappropriate access and disclosure? Yes or No.
Does your agency have a program for job-specific and comprehensive information privacy training for all personnel (employees, contractors, etc.) directly involved in the administration of personal information or information technology systems, or with significant information security responsibilities? Yes or No.
Question 5: PIA and Web Privacy Policies and Processes
Does your agency have a policy in place to ensure that all personnel (employees, contractors, etc.) with access to Federal data are generally familiar with information privacy laws, regulations and policies, and understand the ramifications of inappropriate access and disclosure? Yes or No.
Does your agency have a program for job-specific and comprehensive information privacy training for all personnel (employees, contractors, etc.) directly involved in the administration of personal information or information technology systems, or with significant information security responsibilities? Yes or No.
Does the agency have a written policy or process for each of the following? (Yes / No)
PIA Policies:
- Determining whether a PIA is needed
- Conducting a PIA
- Evaluating changes in business process or technology that the PIA indicate as necessary
- Ensuring systems owners and privacy and IT experts participate in conducting the PIA
- Making PIAs available to the public in the required circumstances
- Making PIAs available in other than required circumstances
Web Policies:
- Determining continued compliance with stated web policies
- Requiring machine-readability of public-facing agency web sites (i.e. use of P3P)
Question 6: Reviews Mandated by Privacy Act of 1974, the E-Government Act of 2002, and the Federal Agency Data Mining Reporting Act of 2007
Indicate which reviews were conducted in the last year by component/bureau for the following items:
- a. Section M Contracts
- b. Records Practices
- c. Routine Uses
- d. Exemptions (Please include the number of reviews conducted during the last year)
- e. Matching Programs (Please include the number of reviews conducted during the last year)
- f. Training
- g. Violations: Civil Action
- h. Violations: Remedial Action
- i. System of Records (Please include the number of reviews conducted during the last year)
- j. (e)(3) Statements (Please include the number of reviews conducted during the last year)
- k. Privacy Impact Assessments and Updates (Please include the number of reviews conducted during the last year)
- l. Data Mining Impact Assessment
Question 7: Written Privacy Complaints
Indicate the number of written complaints for each type of privacy issue allegation received by the SAOP, in addition to the number of complaints for each type each type of complaint.
- a. Process and Procedural -- consent, collection, and appropriate notice)
- b. Redress -- non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters
- c. Operational -- inquiries regarding Privacy Act matters not including Privacy Act requests for access/ and/or correction
- d. Referrals – complaints referred to another agency with jurisdiction
Question 8: Policy Compliance Review
Does the agency have current documentation demonstrating review of compliance with information privacy laws, regulations, and policies? Yes or No.
Can the agency provide documentation of planned, in progress, or completed corrective actions necessary to remedy deficiencies identified in compliance reviews? Yes or No.
Does the agency use technologies that enable continuous auditing of compliance with stated privacy policies and practices? Yes or No.
Does the agency coordinate with the agency's Inspector General on privacy program oversight? Yes or No.
Question 9: Information About Advice Provided by the SAOP
Please state “Yes” or “No” to indicate if the SAOP has provided formal written advice in each of the listed categories, and briefly describe the advice. For descriptions of training, please provide the number of employees (or contractors) who participated in the training.
- a. Agency policies, orders, directives, or guidance governing agency handling of personally identifiable information’
- b. Written Agreements (either Interagency or with Non-Federal Entities)
- c. Reviews or feedback outside of the SORN and PIA process (e.g. formal written advice in the context of a budgetary or programmatic planning)
- d. Privacy Training (either stand-alone or included with training on related issues)
Question 10: Agency Use of Persistent Tracking Technology
Indicate Yes or No for each item below:
- a. Does the agency use persistent tracking technology on any web site?
- b. Does the agency annually review the use of persistent tracking?
- c. Can the agency demonstrate through documentation the continued justification for, and approval to use, the persistent tracking technology?
- d. Can the agency provide the notice language or citation for the web privacy policy that informs visitors about the persistent tracking?
Question 11: Privacy Points of Contact Information
Please provide the names, phone numbers, and e-mail addresses of the following officials:
- a. Agency Head
- b. Chief Information Officer
- c. Agency Inspector General
- d. Chief Information Security Officer
- e. Senior Agency Official for Privacy
- f. Chief Privacy Officer
- g. Privacy Advocate
- h. Privacy Act Officer
- i. Reviewing Official for PIAs
- j. POC for URL links provided in question #2
