Thank you for visiting the FSIS website and reviewing our privacy policy.  Please note you are not required to provide personally identifiable information (PII) to visit our website.  However, if you choose to send an e-mail or message, register for an event, provide a survey response, or ask us to respond to a complaint, you may be providing FSIS with PII.

Any PII you choose to provide FSIS will be used only for the purpose for which you provided it. We will protect your information consistent with the principles of the Privacy Act of 1974, the E-Government Act of 2002, and the Federal Records Act.

We do collect some technical information that does not include PII when you visit our site, as explained below.

Information Collected and Stored Automatically

When you browse through the website, read pages, or download information, we may gather and store certain information about your visit automatically. This information does not identify you personally. We automatically collect and store:

1. The Internet domain (for example, "xcompany.com" or "yourschool.edu") and IP address (a number that is automatically assigned to your computer whenever you are surfing the web) from which you access our site;
2. The type of browser and operating system used to access our site;
3. The date and time you access our site;
4. The pages you visit; and
5. If you linked to the FSIS site from another website, the address of that website; and
6. Search phrases entered into the search box.

We use this information to learn about the number of visitors to our site and the types of technology they are using, which helps us make our site more useful. We do not track or record information about individuals and their visits. We do not track your web activities beyond your browsing of our site, and we do not cross-reference your browsing activities with other entities. We do not provide your information to other entities.

Children's Online Privacy Protection Act (COPPA)

COPPA applies to the online collection of personal information from children under age 13. USDA complies with COPPA and does not knowingly collect personal information about children.

Cookies

The Office of Management and Budget Memo M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies allows Federal agencies to use session and persistent cookies.

When you visit any website, its web servers may generate pieces of information known as cookies. Cookies are small files that web servers place on a user's hard drive that help a website or service “remember” your preferences, surfing patters and behavior. There are two types of cookies:

1. Session cookies, also known as transient or per session cookies, serve technical purposes, like providing seamless navigation through USDA.gov. They are stored in temporary memory and are only available during an active browser session. Once you close your browser, the cookie disappears.
2. Persistent cookies, also known as permanent or stored cookies, are used to collect identifying information about the user, such as user name, web surfing behavior or user preference for a specific website. These cookies operate until they expire or a user deletes them.

USDA may use both types of cookies to improve our online services to you.

You can disable cookies by adjusting the setting to opt out or disable cookies on your web browser. You will still have access to all information and resources at Department websites. However, turning off cookies may affect the functioning of the website. Be aware that disabling cookies in your browser may affect cookie usage at all other websites you visit as well.

If You Send Us Personal Information

If you choose to provide us with personal information, as in an e-mail to the webmaster, FOIA officer, or other FSIS office or employee, we use that information to respond to your message and to help us locate the information you have requested. We do not collect personal information for any purpose other than to respond to you.

Web-based Forms 

If you complete a publication order form, we use that information only to fulfill your publication request.

If you register for a meeting on our website, we use that information internally to plan that meeting and similar future events.

If you submit a complaint using our web-based Consumer Complaint Form, the information you provide is used to help FSIS analysts identify and respond to consumer food safety issues. Such information typically includes first name, last name, address, phone number, e-mail address, and details of the complaint. Details of the complaint can include medical symptoms and medical treatment obtained, as well as information about the origin of the food item under consideration. Complainants retain the right to report a complaint anonymously and can decide not to provide information, but they do not have the option to determine how we use the information that is provided for investigative purposes.

Electronic Mail 

We treat e-mail messages the same way that we regard letters sent to the Food Safety and Inspection Service.

1. We are required to maintain many documents under the Presidential Records Act for historical purposes, but we do not collect personal information for any purpose other than to respond to you.
2. We share the information you give us with another government agency only if your inquiry relates to that agency, or as otherwise required by law.
3. We do not create individual customer profiles with the information you provide or give it to any private organizations.
4. FSIS does not collect information for commercial marketing.

We recommend that you do not include sensitive PII (for example, Social Security or account numbers) when sending e-mail to FSIS.

If You Submit Comments on a Draft Document or Agency Issuance

If you have provided comments to FSIS in the past regarding a Federal Register Notice or proposed rule, those comments are available for viewing on our site in their entirety, including any personal contact information.

Currently, comments on agency issuances are being uploaded to the Regulations.GOV portal. FSIS will provide links from our site to view the comments submitted to Regulations.GOV. The Privacy and Security Notice explains how the information you submit will be used by Regulations.GOV.

Sometimes FSIS requests feedback outside the realm of formal notice-and-comment rulemaking. For example, FSIS periodically asks for comments on draft Compliance Guidelines. All comments received in response to such requests will be made available for public inspection in the FSIS Docket Room and posted, without change, including any personal information, to the website.

Links to Other Sites

Our website has links to many other Federal agencies. In a few cases we link to private organizations, with their permission (for example, iTunes feeds for podcasts). Once you access another site through a link that we provide, you are subject to the privacy policy of the new site. Please read the privacy policy of each website you visit.

When you are on the FSIS website, the domain name will end in .GOV. It will generally begin with http://www.fsis.usda.gov. There are a few exceptions.

1. If you subscribe to our e-mail subscription service, your e-mail address and subscription choices will be maintained at https://public.govdelivery.com. E-mail messages will come from usfsis@public.govdelivery.com. The message itself will include in the footer, "This e-mail was sent...using GovDelivery, on behalf of the USDA Food Safety and Inspection Service, U.S. Department of Agriculture."
2. When using the electronic consumer complaint form, you will see the domain name https://foodcomplaint.fsis.usda.gov/.

Mobile Applications

If you download one of our mobile "apps" for an Android or Apple device, please take note of the specific information in the app store. You will find a disclaimer similar to this one:

Disclaimer:
Our mobile applications are provided “as is” and on an “as-available” basis. We hereby disclaim all warranties of any kind, express or implied, including without limitation the warranties of merchantability, fitness for a particular purpose, and non-infringement. We make no warranty that our mobile applications will be error-free, that the underlying data will be error-free, or that access thereto will be continuous or uninterrupted. USDA does not warrant, either explicitly or by implication, that this software program will not cause damage to the user’s computer or computer operating system, nor does USDA warrant, either explicitly or implicitly, the effectiveness of the software application.

For more information on the use of mobile apps, consult the documentation for your particular device.

More Information on Vendor-Provided Services

As noted, FSIS does offer some website services through third parties.

1. To use our e-mail subscription service, you will need to provide an e-mail address. No other information is collected. You may password protect your account.

As with any information you provide to FSIS, this information is secure and is used only to respond to your request.

Privacy Impact Assessments

This USDA.gov page provides links to Privacy Impact Assessments (PIA) for USDA electronic information systems. For more information, consult the departmental USDA Privacy Policy page.

Social Media

The USDA uses third-party services such as Facebook, Twitter, and YouTube to communicate and interact with the public. You may encounter these services as separate websites (for example, the USDA Facebook page, or as applications embedded within the USDA's websites. These services are controlled and operated by third parties, and are not government websites or applications. By interacting with USDA through these third-party services, you may be providing non-government third parties access to your personal information which can be used to distinguish or trace your identity. Any information collected by a third-party service is subject to the privacy policies of the third-party service provider. These third-party services may, for example, use persistent (multi-session) cookies.

Generally, USDA does not collect, disseminate, or maintain any personally identifiable information about you maintained by third-party sites. However, you should be aware that USDA may read, review, or rely upon information that you make publicly available for the USDA on these services (for example, comments made on the USDA's Facebook page), as authorized or required by law.

Please note that these third-party services supplement USDA's traditional communication and outreach efforts. Should you have concerns about communicating with USDA via these channels, please use traditional channels to contact us.

Website Security

For site security purposes and to ensure that this service remains available to all users, this government computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.

Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in accordance with National Archives and Records Administration General Schedule 20.

Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under applicable Federal laws.

Comments or Questions

If you have any comments or questions about the information presented here please forward them to fsis.webmaster@usda.gov.

What is the Privacy Act?

The Privacy Act of 1974 (5 U.S.C. 552a) is a code of fair information practices which mandates how federal agencies, such as the FSIS, maintain records about individuals. The Privacy Act requires that agencies:?

• collect only information that is relevant and necessary to carry out an agency function;
• maintain no secret records on individuals;
• explain at the time the information is being collected, why it is needed and how it will be used;
• ensure that the records are used only for the reasons given, or seek the person's permission when another purpose for the records' use is considered necessary or desirable;
• provide adequate safeguards to protect the records from unauthorized access and disclosure; and
• allow people to see the records kept on them and provide them with the opportunity to correct inaccuracies in their records.

Does the Privacy Act apply to all FSIS records?

No. The Privacy Act only applies to FSIS records that:

• contain information on individuals,
• are maintained by the FSIS in a "system of records," and are retrievable by a personal identifier (such as by name, Social Security or employee number, or any unique identifier linked to an individual).

What is a "System of Records"?

A System of Records is a group of any records under the control of any agency from which information is retrievable by the name of the individual or by some unique identifying number, symbol, or other identifier assigned to an individual.

Does the Privacy Act apply to all records in the "system of records"?

No. The Privacy Act applies only to living U.S. citizens or lawful permanent resident aliens and FSIS records that meet the Privacy Act requirements.

How does FSIS inform the public about record systems covered by the Privacy Act?

The FSIS informs the public about its record systems covered by the Privacy Act by publishing notices in the Federal Register. The record systems are referred to as Privacy Act systems of records (SOR) and the notices (SORN) provide a description of a particular system of records. Click here for a list of USDA/FSIS SORNs. The Office of Personnel Management (OPM) also publishes SORNS that cover some of FSIS' record systems.

How would I get a copy of records in a records system maintained by FSIS?

To obtain a copy of records in a records system maintained by FSIS (or any records in its custody or control), follow the instructions on the FSIS FOIA page.

Who would I contact if I have a work-related privacy question?

If you believe you have been involved in a work-related paper or electronic privacy breach/incident, call: Hotline Number: 1-877-744-2968 or 1-888-926-2373 (24 hrs). If the breach or incident involves FSIS-issued equipment (e.g., laptop, cell phone), please also immediately notify the USDA Client Experience Center (CEC) Help Desk at 1-877-873-0783. For additional follow-up questions on the breach/incident that you reported, you can write to: Privacy Office, 1400 Independence Ave, S.W., Room 2164, South Bldg., Washington, DC 20250 or e-mail Okechi.Chigewe@usda.gov or Timothy.Poe@usda.gov or fax: (202) 690-3023. Do not include any personal information in e-mails.

For other than privacy breach/incident reporting, individual questions or concerns about privacy issues at FSIS should be directed to your supervisor. The Privacy Office generally is involved only in agency- or program-wide privacy issues.

If you wish to contest or amend information in an FSIS system, e-mail usdaprivacy@usda.gov with your contact information and a brief, general description of the type of record you are seeking to contest or amend (e.g., FSIS form no. 1234 or beneficiary form). Do not include any personal data in your e-mail. The privacy mailbox will forward your e-mail to the manager of the system holding the type of record you describe.

What is the difference between the Freedom of Information Act (FOIA) and the Privacy Act?

The FOIA and Privacy Act both provide procedural rights to requesters seeking records created by an Agency or under the custody and control of an Agency. The Privacy Act, however, provides only U.S. citizens and permanent resident aliens (or to their representatives with the individual's written consent) the right of access to their own records. Privacy Act exemptions to access apply to all of the records in a particular system of records. The FOIA provides a general right of access to all requesters seeking agency records, including to non-citizen and business requesters. FOIA exemptions may apply to particular records or to portions of particular records, and not to all records in a system. See FOIA page for how to make a FOIA request.

Can I use FSIS email to send documents containing PII?

The body of the emails themselves, while internally encrypted, are only secure during transit. There are potential risks once the email has landed in your inbox, or, if the email was sent to the wrong addressee. Attachments are not internally encrypted.

Therefore, password protect and/or encrypt all documents and data storage devices containing sensitive PII. "Sensitive PII" is personally identifiable information which, when disclosed, could result in harm to the individual whose name or identity is linked to the information. Such information includes, but is not limited to: Social Security Numbers, employee identification numbers, health or medical information or condition, employee performance, allegations of misconduct made by or against the employee, and non-business contact information. Encryption and/or password protection should be applied for sensitive PII placed in the body of the emails or in attachments, and whether you are transmitting internally or externally. The password should be provided separately from the attachment.See FSIS Directive 1306.14, Rev. 2 (Media Protection) (9/15/16) and FSIS Directive 1306.21 (Privacy Controls For FSIS Information Systems) (5/24/17), especially, Sec. V(B), p. 3 for the roles and responsibilities of all personnel concerning the electronic transmission of documents containing PII.

If you are sending hard copies of documents containing PII, be sure they are "double-wrapped" by placing the documents in an envelope within an outside envelope.

How do I password protect/encrypt records?

Instructional assistance is available at https://aglearn.usda.gov/enrol/index.php?id=52840, or contact: FSIS Privacy Officer at Timothy.Poe@usda.gov.

Can I store, transmit or view PII on a mobile device?

All sensitive information stored, transmitted or viewed on mobile devices and removable media shall be protected and encrypted in accordance with DR 3440-002, "Control and Protection of Sensitive Security Information", and DR 3170-001, "End User Workstation Standards," Appendix B, Section 16.0, "Portal and Mobile Devices". (The storage, transmission or viewing should only be done on an FSIS-issued device, not on your private device.)

How can I learn more about PII?

AgLearn PII Training is available at: https://aglearn.usda.gov/enrol/index.php?id=52840

For technical difficulties with the PII Training please refer to askFSIS.

FSIS Agency Privacy Officer

Timothy Poe
USDA/FSIS/OPACE/FOIA/AOP
1400 Independence Ave., SW
Room 1170 South Building
Washington, DC 20250
Email: Timothy.Poe@usda.gov

FSIS Office of the Chief Information Officer

Marvin Lykes, Assistant Chief Information Security Officer
Security Compliance & Infrastructure Operations Center
Office of the Chief Information Officer
Food Safety and Inspection Service
United States Department of Agriculture
South-Building Room 0166
Washington, DC 20250
Mobile: (202) 515-6115
Email: Marvin.Lykes@USDA.GOV

U.S. Department of Agriculture

USDA Senior Agency Official for Privacy

Scherida Lambert, Chief Privacy Officer
Office of Chief Information Officer
Cybersecurity and Privacy Operations Center (CPOC)
U.S. Department of Agriculture
Washington, DC 20250-1400
Email: scherida.lambert@usda.gov

Contact Information for USDA Privacy Officials

The Privacy Office
U.S. Department of Agriculture
Washington, DC 20250
Phone: (202) 720-8755
Fax: (202) 720-3445
Email: usdaprivacy@usda.gov

USDA Office of the Chief Information Officer

Gary Washington, Chief Information Officer
Gary.S.Washington@usda.gov

The information on this Website is provided for general informational purposes only and should not be considered as individual guidance or legal advice.

The USDA Privacy Council comprises of the USDA Senior Agency Official for Privacy (SAOP), the USDA Chief Privacy Officer (CPO), the USDA Privacy Act Officer (PAO), and the APOs of USDA sub-agencies. The USDA Privacy Council, of which the FSIS APOs are members, is responsible for monitoring USDA's and all sub-agencies' compliance with the USDA privacy program.

• USDA Privacy Council Member Website (Login required)

The Federal Privacy Council

The Federal Privacy Council is the principal inter-agency forum to improve the privacy practices of agencies and entities acting on its behalf. The work of the Federal Privacy Council shall strengthen protections of people’s personal information and privacy rights across the Federal Government. To achieve this purpose, the Federal Privacy Council shall:

• support inter-agency efforts to protect privacy and provide expertise and assistance to agencies;
• expand the skill and career development opportunities of agency privacy professionals;
• improve the management of agency privacy programs by identifying and sharing lessons learned and best practices; and
• promote collaboration between and among agency privacy professionals to reduce unnecessary duplication of efforts and to ensure the effective, efficient, and consistent implementation of privacy policy government-wide.

The information on this Website is provided for general informational purposes only and should not be considered as individual guidance or legal advice.

All linked documents are in PDF.
Abbreviations: FIPS = Federal Information Processing Standards; SP = Special Publication

• FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (February 2004) ​
• FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (March 2006) ​
• NIST SP 800-12, an Introduction to Computer Security: The NIST Handbook (October 1995)
• NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1998) ​
• NIST SP 800-16, Information Technology Security Training Requirements (April 1998)​ ​
• NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems (February 2010) ​
• NIST SP 800-39, Managing Information Security Risk Organization, Mission, and Information System View​ (March 2011)
• NIST SP 800-50, Building Information Technology Security Awareness and Training Program (October 2003) ​
• NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, App. J (April 2013) ​
• NIST SP 800-53A, Rev. 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (December 2014)
• NIST SP 800-59, Guideline for Identifying an Information System as a National Security System (August 2003) ​
• NIST SP 800-60, Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories (August 2008) ​
• NIST SP 800-61, Rev. 2, Computer Security Incident Handling Guide (August 2012). ​This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident.
• NIST SP 800-63A, Digital Identify Guidelines: Enrollment and Identity Proofing  (June 2017)
• NIST SP 800-63-3, Digital Identity (June 2017)
• NIST SP 800-64, Rev. 2, Security Considerations in the System Development Lifecycle (SDLC) (October 2008). This guide focuses on the information security components of the SDLC. First, descriptions of the key security roles and responsibilities that are needed in most information system developments are provided. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC.​
• NIST SP 800-83, Guide to Malware Incident Prevention and Handling (November 2005). This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. The recommendations address several major forms of malware, ​
• NIST SP 800-100, Information Security Handbook: A Guide for Managers (October 2006). This publication informs the information security management team about various aspects of information security that they will be expected to implement and oversee in their respective organizations. In addition, it provides guidance for facilitating a more consistent approach to information security programs across the federal government.​
• NIST SP 800-122, Guide to Protecting the Confidentiality of PII (April 2010). This document provides guidelines for a risk-based approach to protecting the confidentiality of personally identifiable information (PII).
• NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing (December 2011)
• NIST SP 800-177, Trustworthy Email  (September 2016)

The information on this Website is provided for general informational purposes only and should not be considered as individual guidance or legal advice.

All linked documents are in PDF.

• GAO-09-759T, Governments Have Acted to Protect PII, but Vulnerabilities Remain
• GAO-08-795T, Congress Should Consider Alternatives for Strengthening Protection of PII
• ​GAO-08-536, Alternatives Exist for Enhancing Protection of Personally Identifiable Information
• ​GAO-08-343, Protecting Personally Identifiable Information
• ​GAO-07-935T, Agencies Report Progress, but Sensitive Data Remain at Risk
• ​GAO-07-837, Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses
• GAO-07-751T, Persistent Weaknesses Highlight Need for Further Improvement
• GAO-07-657, Lessons Learned about Data Breach Notification
• GAO-06-866T, Leadership Needed to Address Information Security Weaknesses and Privacy Issues
• GAO-06-833T, Preventing and Responding to Improper Disclosures of Personal Information

The information on this Website is provided for general informational purposes only and should not be considered as individual guidance or legal advice.

FSIS Privacy Documents (included on USDA's Website)

• Privacy Impact Assessments (PIA)
• System of Records Notice (SORN)

FSIS Directives

All linked documents are in PDF.

FSIS Privacy-related Directives include, but are not limited to:

• 1306.1 Information System Incident Response - Revision 2 (Jun 9, 2016)
• 1306.2 Information System Security Assessment and Authorization (Apr 4, 2016)
• 1306.3 Configuration Management of Security Controls for Information Systems - Revision 2 (May 3, 2016)
• 1306.4 Information Security Risk Assessment (Apr 14,2016)
• 1306.5 Identification and Authentication - Revision 2 (May 24, 2016)
• 1306.6 System and Information Integrity - Revision 2 (Jun 21, 2016)
• 1306.7 Information Systems Physical and Environmental Protection - Revision 2 (Jun 21, 2016)
• 1306.8 Security Awareness and Training - Revision 2 (Aug 22, 2016)
• 1306.9 System and Communication Protection - Revision 2 ( Apr 19, 2016)
• 1306.10 Information System Access Control - Revision 2 (Sep 8, 2016)
• 1306.11 Information Systems Audit and Accountability - Revision 2 (Sep 1, 2016)
• 1306.12 Information System Security Maintenance - Revision 2 (Aug 31, 2016)
• 1306.13 Information Systems Planning - Revision 1 (Sep 1, 2016)
• 1306.14 Media Protection - Revision 2 (Sep 15, 2016)
• 1306.15 Information Systems Contingency Planning - Revision 1 (Sep 20, 2016)
• 1306.16 Security Assurance - Revision (Sep 20, 2016)
• 1306.17 Safeguarding Electronic Equipment and Data During Foreign Travel (Aug 16, 2011)
• 1306.18 Safeguarding Mobile or Portable Electronic Equipment and Data (Sep 29, 2016)
• 1306.19 Personnel Security for Information Systems - Revision 1 (Sep 6, 2016)
• 1306.20 Information System and Services Acquisition (Sep 6, 2016)
• FSIS Directive 1306.21 Privacy Controls for FSIS Information Systems (May 24, 2017)
  Describes the roles and responsibilities of FSIS privacy program officials and of all FSIS systems owners and users.
• 1307.1 Systems Development Life Cycle (SDLC) (Jan 7, 2015)
• 1310.1 Electronic Communications Operations Persons (E-COP) Procedures (Dec 14, 2015)
• 1310.3 Technical Change Control Board (TCCB) (Aug 13, 2008)
• 1320.4 Office of Field Operations (OFO) AssuranceNet Data Monitoring Responsibilities (May 13, 2010)

U.S. Department of Agriculture Directives and Regulations

All documents are in PDF.

USDA Directives and Regulations related to privacy, include, but are not limited to:

• DR 3170-001 - End User Workstation Configurations (10/13/22)
• DR3515-001 - Use of Web Measurement and Customization Technologies (10/21/11)
• DR3515-002 - Privacy Policy and Compliance for Personally Identifiable Information (PII) (10/30/20)
• DR3505-003 - Access Control for Information and Information Systems (07/17/19)
• DR3505-005 - Cyber Security Incident Management (11/30/18)
• DM3505-005 - Cybersecurity Incident Management Procedures (11/30/18)
• DR3410-001 - Information Collection Activities-Collection of Information from the Public (01/26/22)
• DR3440-002 - Control and Protection of "Sensitive Security Information" (01/30/03)
• DR3441-001 - USDA Sensitive Compartmented Information Security Program (01/18/12)
• DR3450-001 - Computer Matching Program Involving Personally Identifiable Information (10/29/20)
• DR3450-002 - FOIA Implementing Regulations (02/07/03)

Related Information

• FSIS Office of the Chief Information Officer
• USDA Office of the Chief Information Officer