Privacy Impact Assessments (PIAs) FAQs
By DON CIO Privacy Team - Published, October 26, 2012
When do I complete a privacy impact assessment (PIA)?
Whenever an IT system collects, transmits or disseminates PII pertaining to both the public and or Federal employees, retirees, contractors and/or dependents. One exception: PIAs are not required for national security designated systems.
My IT system does not collect any PII but it does require the use of PII to verify user access. Is a PIA required?
If the user table only requires business-related PII (e.g., badge number, rank, position, office phone number, etc.), a PIA is generally not required. Contact the DON CIO Privacy Team with any questions regarding a particular IT system.
How often must a PIA be reviewed?
New guidance from the Department of Defense states that PIAs must be reviewed every three years. DON CIO will promulgate specific guidance on how this three-year cycle will be implemented.
Who must review and sign a PIA?
At a minimum, the system owner/program manager, information assurance (IA) coordinator and Privacy Act coordinator must sign the PIA as reviewers. The DON CIO will approve all PIAs. The DON Privacy Act program manager will also review and sign the Navy PIAs prior to final approval.
Does a PIA have to be completed before an IT system that contains PII can be used?
A PIA should be completed prior to an IT system going operational on the network. For systems already operational, a PIA should be submitted as soon as possible.
Who is responsible for submitting the PIA?
PIAs are reviewed by the system owner or program manager, the IA coordinator and the Privacy Act coordinator of the unit or command who owns the IT system. The person responsible for submission may be at the unit, command or, in some cases, the Echelon II level.
How can I obtain a copy of a completed PIA?
The DON CIO can provide a copy of a completed PIA upon request. Please note that the new DoD PIA template has been approved. This new form is automated and uses drop-down menus and digital signatures. A complete list of signed and approved PIAs is also available.