Privacy Controls for FSIS Information Systems - Revision 1
I. PURPOSE
This directive lists privacy control requirements as stated in the National Institute of Science and Technology (NIST) Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, and NIST-SP, 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. It provides general information concerning how the Office of the Chief Information Officer (OCIO), Privacy Office, and other responsible parties implement the requirements within the Food Safety and Inspection Service (FSIS). This revision incorporates the requirement for all FSIS employees, contractors, and partners to receive annual personally identifiable information (PII) training through the Department’s AgLearn training tool.
II. CANCELLATION
FSIS Directive 1306.21, Privacy Controls for FSIS Information Systems, 5/24/17
III. BACKGROUND
A. Privacy, with respect to PII, is a very important value for any Government organization. NIST-SP, 800- 53, Revision 4, defines PII as information that can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information, which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). Government organizations maintain privacy by making sure that their policies and procedures address it. Protecting the privacy of individuals and their PII that is collected, used, maintained, shared, and disposed of by programs and information systems, is a fundamental responsibility of Federal organizations.
B. FSIS ensures information security controls are in place to protect FSIS program offices and information systems and data in compliance with Public Law 107-347, Title III, E-Government Act of 2002; Public Law 113-283, The Federal Information Security Modernization Act (FISMA) of 2014; Public Law 93-579, Privacy Act of 1974, as amended; and USDA Privacy regulations.
C. The goals of FISMA include development of a comprehensive framework to protect the Government’s information, operations, and assets. FISMA assigns specific responsibilities to Federal agencies, NIST, and the Office of Management and Budget (OMB) to strengthen information technology (IT) system security. FISMA requires the head of each agency to implement policies and procedures to cost effectively reduce information security risks to an acceptable level.
D. The privacy controls are based on the Fair Information Practice Principles (FIPPs) embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, NIST SP 800-53, Revision 4, and OMB policies. The FIPPs are designed to build public trust in the privacy practices of organizations and to help agencies avoid tangible and intangible damages from privacy incidents. The privacy controls are implemented at the department, agency, program office, and information system level. The FSIS privacy controls are implemented under the leadership and oversight of the FSIS Privacy Office, and in coordination with FSIS OCIO, program officials, legal counsel, and others, as appropriate.
IV. ROLES AND RESPONSIBILITIES FOR FSIS ADMINISTRATORS
A. Agency Administrator.
- Ensures that information security and privacy policies, procedures, and practices are adequate and in place; and
- Allocates sufficient resources (e.g., personnel and funds) to implement and operate the Privacy Program according to the NIST requirements.
B. FSIS Assistant Administrators.
- Ensure that all privacy procedures are followed;
- Ensure that employees follow privacy best practices; and
- Ensure that employees have access to PII-specific training.
V. ROLES AND RESPONSIBILITIES FOR THE FSIS PRIVACY OFFICE
- Follows the guidelines set forth by the Senior Agency Officials for Privacy (SAOP) comprised of members of the FSIS Office of Public Affairs and Consumer Education (OPACE), and the USDA Privacy Council;
- Facilitates the Agency’s efforts to comply with privacy requirements affecting the Agency’s programs and systems that collect, use, maintain, share, or dispose of PII or other activities that raise privacy risks;
- Ensures the development, implementation, and enforcement of FSIS privacy policies and procedures;
- Defines roles and responsibilities for protecting PII;
- Determines the level of information sensitivity regarding PII holdings;
- Identifies the laws, regulations, and internal policies that apply to PII;
- Monitors privacy best practices;
- Monitors and audits compliance with identified privacy controls;
- Determines whether the proposed collection of PII, as well as the PII already collected, are authorized;
- Documents the authority to collect PII in the Privacy Threshold Analysis (PTA), the Privacy Impact Assessment (PIA), System of Records Notice (SORN), or other applicable documentation;
- Describes the purpose(s) for which PII is collected, used, maintained, and shared in the system’s privacy notices;
- Describes the purpose in the related privacy compliance documentation, including the PTA, PIA, SORN, and other applicable documentation; and
- Conducts privacy incident and breach investigations jointly with OCIO and documents the agreed upon mitigation and resolution.
VI. ROLES AND RESPONSIBILITIES FOR FSIS SYSTEM OWNERS AND USERS
A. System Owners. System owners are FSIS employees who are designated by their specific program area and may be from program areas outside of OCIO. They are to:
- Assist in the development of detailed operating procedures to satisfy appropriate privacy controls;
- Assign to system users the appropriate level of role-based access;
- Collaborate with the PII Officer or OCIO to develop and execute internal audit controls based on guidance provided by the PII Officer or OCIO, which would be needed in the development and execution of these controls.
- Notify OCIO to request approval by the Technical Change Control Board (TCCB) when use of the system is to be modified, including when new software is tested or installed; and
- Assist OCIO or the PII Officer in identifying appropriate privacy training courses for system users who have significant information system security roles and responsibilities during the system development life cycle (SDLC):
- a. Before authorizing access to the system or performing assigned duties; and
- b. When required by system changes.
B. System Owners will ensure that system users successfully complete the designated training.
C. FSIS System Users. All employees, contractors, and authorized individuals who use FSIS IT resources are to:
- Be knowledgeable of the contents in this directive;
- Follow procedures in this directive, as well as those stated in all privacy-related directives, including those listed on the FSIS Privacy Program web page at: https://www.fsis.usda.gov/wps/portal/informational/aboutfsis/privacy/privacy-program;
- Password protect or encrypt all documents and data storage devices containing PII or any other data that could identify and individual;
- Notify the supervisor, who, in turn, is to notify the Privacy Office, when documents and data storage devices that should have been password protected or encrypted are sent or received without proper protection or encryption;
- Cooperate with the Privacy Officer and OCIO in their investigation and documentation of a privacy breach or incident, including their investigation of the employees’ failure to password protect PII in records they transmitted by email or sent by mail; and
- Complete PII and security training, as required.
VII. ROLES AND RESPONSIBILITIES FOR FSIS OCIO
A. OCIO. Supports and promotes the privacy controls for information systems throughout FSIS.
B. OCIO Information Systems Security Program Manager (ISSPM) Chief Information Security Officer (CISO).
- Ensures collaboration among organizational entities;
- Incorporates effective privacy protections and practices (i.e., privacy controls) within FSIS programs and information systems and the environments in which they operate;
- Assists system owners in identifying appropriate privacy procedures or personnel;
- Documents and provides appropriate privacy training to personnel (including system owners, system and network administrators) as identified by the Information System Security Officer (ISSO) within the OCIO System Security and Compliance Branch of the Information Security Center;
- Establishes, maintains, and updates annually an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, sharing, or disposing of PII;
- Provides each update of the PII inventory to the Chief Information Officer (CIO) or information security official annually to support the establishment of information security requirements for all new or modified information systems containing PII;
- Develops and implements a Privacy Incident Response Plan (PIRP) which outlines policy and procedures to follow if PII is potentially or actually compromised;
- Establishes a cross-functional Privacy Incident Response Team (PIRT) that reviews, approves, and participates in the execution of the PIRP;
- Develops a process to determine when to notify appropriate oversight organizations or affected individuals regarding a privacy incident (e.g., any potential or actual compromise of PII);
- Develops a privacy risk assessment process to determine the extent of harm, embarrassment, inconvenience, or unfairness to affected individuals and takes steps to mitigate any such risks, where appropriate;
- Develops an internal procedure to ensure prompt reporting by employees and contractors of any privacy incident to information security officials;
- Develops an internal procedure for reporting noncompliance with privacy policy by employees or contractors to appropriate management or oversight officials; and
- Provides an organized and effective response to privacy incidents in accordance with the PIRP.
VIII. NIST SP 800-53, REVISION 4 REQUIREMENTS FOR FSIS
A. Accountability, Audit, and Risk Management.
- Appoint an FSIS Privacy Officer within OPACE who is accountable for developing, implementing, and maintaining a governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of PII by programs and information systems;
- Monitor Federal privacy laws and policy for changes that affect the privacy program;
- Allocate sufficient resources to implement and operate the privacy program;
- Develop a strategic privacy plan for implementing applicable privacy controls, policies, and procedures;
- Update the privacy plan, policies, and procedures at least biennially;
- Document and implement a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of PII;
- Conduct PTAs and PIAs for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing policies and procedures;
- Perform a PTA and PIA before developing or procuring information systems, or initiating programs or projects that collect, use, maintain, or share PII and are updated when changes create new privacy risks;
- Establish privacy roles, responsibilities, and access requirements for contractors and service providers;
- Include privacy requirements in contracts and other acquisition-related documents;
- Monitor and audit privacy controls and internal privacy policy annually to ensure effective implementation;
- Implement a process to embed privacy considerations into the life cycle of PII, programs, information systems, mission or business processes, and technology;
- Track programs, information systems, and applications that collect and maintain PII to ensure compliance with this directive;
- Ensure that access to PII is only on a need-to-know basis;
- Ensure that PII is being maintained and used only for the legally authorized purposes identified in the public notice(s);
- Implement technology to audit for security, appropriate use, and loss of PII;
- Perform reviews to ensure physical security of documents containing PII;
- Assess contractor compliance with privacy requirements;
- Ensure that corrective actions identified as part of the assessment process are tracked and monitored until audit findings are corrected;
- Develop, implement, and update a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
- Ensure that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements annually;
- Develop, disseminate, and update reports to the Department, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance;
- Design information systems to support privacy by automating privacy controls;
- To the extent feasible, employ technologies and system capabilities that automate privacy controls on the collection, use, retention, and disclosure of PII when designing information systems;
- Conduct periodic reviews of systems to determine the need for updates to maintain compliance with the privacy regulations;
- Keep an accurate accounting of disclosures of information held in each system of records under its control, including:
- a. Date, nature, and purpose of each disclosure of a record; and
- b. Name and address of the person or Agency to which the disclosure was made.
27. Retain the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
28. Make the accounting of disclosures available to the person named in the record upon request, unless exempted or excluded under applicable regulations.
B. Data Quality and Integrity.
- Confirm to the greatest extent practicable, upon collection or creation of PII, the accuracy, relevance, timeliness, and completeness of that information;
- Collect PII directly from the individual to the greatest extent practicable;
- Check for, and correct as necessary, any inaccurate or outdated PII used by its programs or systems annually;
- Issue guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of collected or disseminated information;
- Ensure that the individual or individual’s authorized representative validate PII during the collection process;
- Ensure that the individual or individual’s authorized representative revalidate annually the PII that was collected is still accurate; and
- Document processes to ensure the integrity of PII through existing security controls.
C. Data Minimization and Retention.
- Identify the minimum PII elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
- Limit the collection and retention of PII to the minimum elements identified for the purposes described in the SORN for which the individual has provided consent;
- Conduct an initial evaluation of PII holdings;
- Establish and follow a schedule for an annual review of those holdings to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose;
- Locate and remove or redact specified PII and use anonymization and re-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure where feasible and within the limits of technology;
- Retain each collection of PII in accordance with a National Archives and Records Administration (NARA)-approved record retention schedule to fulfill the purpose(s) identified in the notice or as required by law;
- Dispose of, destroy, erase, and anonymize the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access.
- Use Agency-authorized methods to ensure secure deletion or destruction of PII (including originals, copies, and archived records);
- Configure information systems to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule where feasible;
- Develop policies and procedures that minimize the use of PII for testing, training, and research;
- Implement controls to protect PII used for testing, training, and research; and
- Use techniques to minimize the risk to privacy of using PII for research, testing, or training where feasible.
D. Individual Participation and Redress.
- Provide means for individuals to authorize the internal collection, use, maintenance, and sharing of PII prior to its collection, where feasible and appropriate;
- Obtain consent through opt-in, opt-out, or implied consent;
- Provide appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
- Obtain consent from individuals prior to any new uses or disclosure of previously collected PII, where feasible and appropriate;
- Implement mechanisms to support itemized or tiered consent to specific uses of data;
- Construct consent mechanisms to ensure that operations comply with individual choices;
- Provide individuals the ability to have access to their PII maintained in its system(s) of records unless exempted or excluded under applicable regulations;
- Adhere to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests;
- Provide a process for individuals to have inaccurate PII maintained corrected or amended, as appropriate;
- Use discretion in determining if records are to be corrected or amended, based on the scope of redress requests, the changes sought, and the impact of the changes;
- Provide effective notice of the existence of a PII collection;
- Establish criteria for submitting requests for correction or amendment;
- Implement resources to analyze and adjudicate requests;
- Implement means of correcting or amending data collections;
- Review any decisions that may have been the result of inaccurate information;
- Provide responses to individuals of decisions to deny requests for correction or amendment, including the reasons for the decision, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations;
- Take steps to ensure that all authorized recipients of that PII are informed of the corrected or amended information where PII is corrected or amended;
- Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the privacy practices;
- Provide complaint mechanisms that are readily accessible by the public, include all information necessary for successfully filing complaints; and
- Respond to complaints, concerns, or questions from individuals within 48 hours of receipt.
E. Security.
- Establish, maintain, and update annually an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing PII;
- Provide each update of the PII inventory to the CIO or information security official annually to support the establishment of information security requirements for all new or modified information systems containing PII;
- Develop a process to determine whether notice to oversight organizations or an affected individual is appropriate and, if so, to provide that notice accordingly;
- Develop a privacy risk assessment process to determine the extent of harm, embarrassment, inconvenience, or unfairness to affected individuals and take steps to mitigate any such risks, where appropriate;
- Develop an internal procedure to ensure prompt reporting by employees and contractors of any privacy incident to information security officials;
- Develop an internal procedure for reporting noncompliance with privacy policy by employees or contractors to appropriate management or oversight officials; and
- Provide an organized and effective response to privacy incidents in accordance with the PIRP.
F. Transparency.
1. Provide effective notice to the public regarding:
- a. Activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII;
- b. Authority for collecting PII;
- c. The choice, if any, individuals have regarding how the use of PII and the consequences of exercising or not exercising the choice; and
- d. The ability to access and have PII amended or corrected if necessary.
2. Describe the PII collection and the purpose(s) for which FSIS collects that information and consider the following:
- a. How the PII is used internally;
- b. The sharing of PII with external entities, the categories of those entities, and the purpose for such sharing;
- c. The ability of an individual to consent to specific use or sharing of PII and how to exercise any such consent; and
- d. How an individual can obtain access to their PII.
3. Revise public notices in the Federal register or public website to reflect changes in practice or policy that affect PII or changes in FSIS activities that impact privacy, before or as soon as practicable after the change;
4. Provide real-time or layered notice when collecting PII;
5. Keep SORNs current;
6. Include Privacy Act Statements on forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected;
7. Ensure that the public has access to information about its privacy activities and is able to communicate with the Agency privacy officials; and
8. Ensure that privacy practices are publicly available through the Agency websites or otherwise.
G. Use Limitation Conducted by OCIO.
- Use PII internally only for the authorized purpose(s) identified in the Privacy Act or in public notices;
- Train all FSIS employees, contractors, and partners on the authorized use of PII annually using USDA Department’s AgLearn training tool;
- Document process and procedure for evaluating any new uses of PII to assess whether they fall within the scope of the Agency officials;
- Obtain consent from individuals for the new use(s) of PII, where appropriate;
- Share PII externally, only for the authorized purposes identified in the Privacy Act or described in its notice(s) or for a purpose that is compatible with those purposes;
- Enter into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used, where appropriate; and
- Evaluate any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.
IX. PENALTIES AND DISCIPLINARY ACTIONS FOR NON-COMPLIANCE
FSIS Directive 1300.7, Managing Information Technology (IT) Resources, sets forth the FSIS policies, procedures, and standards on employee responsibilities and conduct relative to the use of computers and telecommunications equipment. In addition, FSIS Directive 4735.3, Employee Responsibilities and Conduct, outlines the disciplinary action that FSIS may take when an employee fails to fulfill responsibilities or adhere to standards of conduct.
X. QUESTIONS
A. For questions regarding privacy controls for information systems, contact the Agency Information System Security Program at: FSIS_Information_Security@fsis.usda.gov.
B. USDA Departmental directives are located at: http://www.ocio.usda.gov/policy-directives-records-forms and FSIS Directives and Notices are located at http://www.fsis.usda.gov/wps/portal/fsis/topics/regulations.