Privacy

The GSA Privacy Office (public and TTS-only, internal pages) preserves and evolves privacy protections for any individual whose personal information is handled by the agency. In practice, this requires the Office to conduct periodic privacy threshold analyses (PTAs) and privacy impact assessments (PIAs) for each of the GSA’s programs and information systems. This helps the Office ensure legal compliance and mitigate privacy risks.

Privacy risk is partially assessed based on to the degree to which a program or information system collects and makes use of personally identifiable information (PII). Per , external,OMB Circular A-130, PII is "information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual."

The privacy risk posed by PII largely depends upon the degree to which it can be used to directly identify a person. Examples of information categories that are always considered sensitive (that is, directly identifying) PII include: driver's license numbers, state identification numbers, and social security numbers. Examples of information categories that pose a risk when paired (that is, stored or displayed together) include: citizenship or immigration status, ethnic or religious affiliation, and mother's maiden name.

Procedure for GSA projects

1. Identify the agency at which the product or service in question will obtain its authorization to operate (ATO). If that agency is not the GSA, skip the remaining steps and instead contact the Privacy Office at the agency granting the ATO (as each agency has its own process for conducting privacy threshold analyses and impact assessments).
2. For a new system or application, , external,TTS-only, complete a Privacy Threshold Analysis (PTA).
3. GSA’s Privacy Office will reach out to help you collaboratively identify, discuss, and evaluate privacy risks, and to determine the ways in which they might be mitigated. It’s important to note that this collaboration may ultimately affect the design of the product or service in question. It might also result in the creation of the following privacy-related documentation:
   • , external,TTS-only, Privacy Act Notices, which appear at the point of PII collection.
   • , external,TTS-only, System of Records Notices (SORNs), which apprise the public of PII collections.
   • , external,TTS-only, Privacy Impact Assessments (PIAs), which provide a complete assessment of privacy risks and mitigations.
4. As you complete and receive sign off on your product or service’s privacy-related documentation, the Privacy Office may work with you to plan for the creation of any necessary role-based training for the staff who will operate the product or service. This ensures privacy compliance in perpetuity.

Re-certification

, external,TTS-only, Submit significant changes (e.g. collection of new types of information), and re-certify your PTA annually).