TABLE OF CONTENTS
| Topics | Sections |
| OVERVIEW | 1.1 What is the purpose of this chapter? 1.2 What is the scope of this chapter? 1.3 What terms do you need to know to understand this chapter? 1.4 What are the authorities for this chapter? |
| OVERALL POLICY | 1.5 What is the Service’s overall privacy policy? |
| RESPONSIBILITIES | 1.6 Who is responsible for the Service’s privacy program? |
| PENALTIES FOR MISHANDLING PRIVACY INFORMATION | 1.7 What are the penalties associated with the willful or negligent handling of privacy information? |
OVERVIEW
1.1 What is the purpose of this chapter? This chapter:
A. Provides policy to help ensure that the U.S. Fish and Wildlife Service (Service) collects, manages, protects, and shares Personally Identifiable Information (PII) in accordance with the Privacy Act of 1974 (Privacy Act) and all other applicable Federal and Department of the Interior (Department) laws, regulations, and policies;
B. Describes the Service’s privacy program within the Information Resources and Technology Management (IRTM) program and establishes the responsibilities and authorities of the Service’s Associate Privacy Officer (APO), who oversees the Service’s privacy compliance activities;
C. Describes organizational responsibilities for managing and securing PII entrusted to the Service, including sensitive PII; and
D. Establishes the Service’s Privacy Program Handbook, which steps down the policy in this chapter.
1.2 What is the scope of this chapter?
A. The requirements in this chapter apply to all Service employees, contractors (through their contracts), volunteers, partners, and others who perform work for or on behalf of the Service. We use the term “employee” in this chapter as a general term to describe all of these individuals.
B. When a contractor or other non-Federal entity performs work on behalf of the Service that requires one or more of the following activities, their contract or agreement must include terms to ensure they meet the requirements in this chapter:
(1) Operating a system of records;
(2) Collecting or processing PII; or
(3) Creating, maintaining, or operating an information system that collects or maintains PII.
1.3 What terms do you need to know to understand this chapter?
A. Breach. The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where:
(1) An unauthorized user accesses or potentially accesses PII, or
(2) An authorized user accesses or potentially accesses PII for an unauthorized purpose.
B. Consent. An individual’s permission to authorize the Federal Government to collect, use, maintain, or share their PII prior to its collection. Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy.
C. Disclosure. The release of information in a system of records to any person other than to whom the information pertains, including any employee of the Service, the Department, or employees of other Federal agencies. We must document disclosures on a DI-3710, Disclosure Accounting Form.
D. Information system. A discrete set of resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
E. Maintain. For the purposes of this chapter, includes the management, collection, use, or dissemination of records about individuals.
F. Members of the public. For the purposes of this chapter, any person who is not an employee of the Federal Government, including Tribal, State, and local government representatives when working in an official capacity. For example, a university biologist acting in their official capacity in partnership with the Service is a member of the public.
G. Personally Identifiable Information (PII). Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to an individual. Examples of PII include email addresses, phone numbers, photographs, license plate numbers, and logins or usernames. Also see section 1.3N for more information about sensitive PII.
H. Privacy Act System Manager (System Manager). Employee designated in the System of Records Notice (SORN) as having administrative responsibility for a system of records. The System Owner is usually also the Privacy Act System Manager.
I. Privacy Impact Assessment (PIA). An analysis of how information is handled to:
(1) Ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy;
(2) Determine the risks and effects of maintaining information in identifiable form in an information system; and
(3) Examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
J. Privacy notice. A notice the Service gives to individuals when they interact with a Service website, form, application, or system that collects PII. Privacy notices describe the authorities that allow us to collect PII, the reasons we are collecting it, our intended use for it (including sharing and dissemination), and any consequences of not providing the information. We often provide privacy notices in the form of Privacy Act statements.
K. Privacy Threshold Assessment (PTA). A tool used to identify privacy-sensitive projects, programs, systems, and any potential gaps in privacy compliance, including the requirement to conduct a full PIA.
L. Record. For the purposes of this chapter, any item, collection, or grouping of information about an individual that the Service maintains (including, but not limited to, education history, financial transactions, medical history, criminal or employment history) that contains the individual’s name or other identifier (e.g., fingerprint, photograph, etc.).
M. Routine use. An element of a SORN that describes the purposes for which we are authorized to disclose a record.
N. Sensitive PII. A subset of PII that, if lost, compromised, or inappropriately disclosed, could cause substantial harm to the individual or the Service. Examples of sensitive PII are Social Security Numbers (SSN), credit card or financial account numbers, personal identification numbers, passwords, certain health or medical information, and employment records like negative performance appraisals or adverse actions.
O. System Owner. Employee or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and final disposition of an information system.
P. System of records. A group of records under our control from which we retrieve information using an individual’s name or other personal identifier. Systems of records are subject to the provisions of the Privacy Act.
Q. System of Records Notice (SORN). A public notice in the Federal Register that describes a system of records.
1.4 What are the authorities for this chapter?
A. Controlled Unclassified Information and the Privacy Act (32 CFR 2002.46).
B. Department of the Interior Regulations on the Privacy Act (43 CFR 2, Subpart K) and Social Security Number Fraud Prevention Act Requirements (43 CFR 2, Subpart M).
C. E-Government Act of 2002 (Section 208) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
D. Federal Information Security Modernization Act of 2014 (Public Law 113-283).
E. Freedom of Information Act (FOIA) (5 U.S.C. 552).
F. National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations.
G. Office of Management and Budget (OMB) Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act.
H. OMB Circular A-130, Managing Information as a Strategic Resource.
I. OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy.
J. OMB Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services.
K. OMB Memorandum M-17-12, Preparing for and Responding to a Breach of PII.
L. OMB Memorandum M-21-04, Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act.
M. Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
N. Privacy Act of 1974 (5 U.S.C. 552a).
O. 383 DM 1 – 13, Public Access to Records.
OVERALL POLICY
1.5 What is the Service’s overall privacy policy?
A. The Service regularly collects and uses PII from members of the public and Service employees to meet mission needs. While beneficial, doing so can create potential risks to individuals and the Service if someone were to inappropriately access, modify, or disclose the information. To minimize this risk and ensure fairness to individuals, we must follow the Fair Information Practice Principles (FIPP) upon which the Privacy Act is based. The FIPPs are:
(1) Purpose specification and use limitation. Provide notice to the individual of the specific purpose for collecting PII and only process, store, maintain, or disclose PII for the purpose explained in the notice. Ensure the use is compatible with the purpose for which the PII was collected or that is otherwise legally authorized.
(2) Authority. Ensure we have legal authority prior to creating, maintaining, or disclosing PII, including receiving information collection clearance in accordance with 281 FW 4 and 5 on information collection if collecting information from members of the public.
(3) Quality and integrity. Ensure PII is accurate, relevant, timely, and complete to the extent possible.
(4) Minimization. Only collect PII that is directly relevant and necessary and maintain PII only for as long as necessary to accomplish the intended purpose of collection.
(5) Individual participation. Provide individuals with:
(a) The opportunity to consent to the collection, use, and potential sharing of their PII to the greatest extent practicable; and
(b) Clear, accessible, and transparent notice regarding our authority and purpose for maintaining PII and by identifying this information on any applicable notices or documentation (e.g., within a SORN).
(6) Security. Establish administrative, technical, and physical safeguards to protect PII (in any medium) commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss, destruction, dissemination, or disclosure.
(7)Transparency. Be transparent about information policies and practices with respect to PII and provide clear and accessible notice to individuals regarding creation, storage, maintenance, and disclosure of PII.
(8) Access and amendment. Provide individuals with appropriate access to their PII and appropriate opportunity to correct or amend PII.
(9) Accountability. Be accountable for complying with these principles and applicable privacy requirements, and appropriately monitor, audit, and document compliance.
B. All employees must safeguard PII in their custody in accordance with the principles we describe above and in the Privacy Program Handbook. Specifically, employees must:
(1) Secure PII when not in use and only share PII with those who have an official need to know;
(2) Immediately report suspected or confirmed breaches of PII to the Service’s Security Operations Center or the Department’s Computer Incident Response Center, or both;
(3) Complete the Department’s required annual information management and technology training (including privacy training) and any required Role-Based Privacy Training (RBPT) based on employee responsibilities in accordance with Service privacy training requirements;
(4) Agree to and follow the Department’s Rules of Behavior for Computer Network Users (DI-4002) when accessing an information system containing PII;
(5) Ensure the assessment of privacy risk and mitigations is conducted before maintaining any sensitive PII, especially SSNs, in any medium (information systems or collections, forms, surveys, or applications) directly or indirectly through a partnership, agreement, or contract with another agency or organization; and
(6) Follow appropriate guidance for maintaining, handling, and disposing of PII in accordance with the Privacy Program Handbook.
C. System Owners and Managers of information systems that maintain or process PII are ultimately responsible for safeguarding the PII throughout the system lifecycle until disposition of the data. They must work with IRTM and others to comply with all regulatory requirements by:
(1) Incorporating privacy requirements in the design and development of the system in accordance with 270 FW 2, Project Management Office (PMO) and Information Management and Technology (IMT) Project Management and the IMT Project Review and Approval Handbook, including working with the APO and the Service’s Requirements Management Board to ensure the privacy provisions in regulation are included in any applicable contracts and agreements in accordance with 48 CFR 52.239-1 and 48 CFR 52.224-1 to 3;
(2) Ensuring adequate resources are available to meet applicable privacy requirements through the decommissioning of the system in accordance with 270 FW 3, Decommissioning Information Systems and Information Management and Technology Investments;
(3) Implementing the appropriate privacy controls defined in NIST Special Publication 800-53 and the Department’s Information Technology Security and Privacy Standards;
(4) Completing privacy plans, PTAs, PIAs, SORNs, and any other privacy documentation required by Federal or Departmental law, regulation, or policy before receiving an authorization to operate from the Associate Chief Information Officer (ACIO);
(5) Maintaining records in accordance with the requirements of 280 FW 1, Records and Information Management Policy and Program, and the applicable records schedule;
(6) Monitoring and assessing the effectiveness of privacy controls over time and conducting PIAs whenever changes and modifications are made to the system;
(7) Providing individuals with access to their PII and the opportunity to correct or amend records within the system of records consistent with the Department’s Privacy Act regulations (43 CFR 2.237-2.250);
(8) Disclosing PII only to authorized recipients in accordance with 5 U.S.C. 552a(b) and 43 CFR 2.231, and maintaining an account of disclosures in accordance with 43 CFR 2.232; and
(9) Creating and implementing information sharing agreements that incorporate applicable privacy provisions and requirements prior to sharing, exchanging, or receiving PII from external agencies, State and local governments, contractors, partners, or other external entities.
RESPONSIBILITIES
1.6 Who is responsible for the Service’s privacy program? See Table 1-1.
Table 1-1: Responsibilities for Privacy
| These employees... | Are responsible for... |
| A. The Director | (1) Approving or declining to approve Servicewide privacy policies and procedures, and (2) Ensuring the Service’s privacy program is administered effectively. |
| B. Directorate members | Ensuring employees within their areas of responsibility are aware of and comply with relevant Federal, Departmental, and Service privacy laws, regulations, policies, procedures, and guidance. |
| C. Associate Chief Information Officer (ACIO) (also known as the Assistant Director - IRTM) | (1) Providing overall leadership and direction for the Service’s privacy program; (2) Ensuring the Service’s privacy program has the necessary resources and budget to function effectively; (3) Serving as the Service’s Authorizing Official for information systems that process PII; (4) Ensuring Service information systems adequately protect PII and otherwise implementing necessary privacy protections and controls; (5) Establishing Service-specific privacy policies, procedures, and standards in coordination with the APO; and (6) Participating as a member of the Service’s Privacy Breach Response Team when a privacy breach occurs. |
| D. Associate Chief Information Security Officer (ACISO) | (1) Coordinating with the APO to implement security controls and safeguards to ensure information systems that process PII are appropriately protected; (2) Participating as a member of the Service’s Privacy Breach Response Team when a privacy breach occurs; and (3) Providing recommendations and guidance to the ACIO, APO, and others related to security and privacy control implementation, procedural requirements, and other security measures and safeguards for information systems. |
| E. Associate Privacy Officer (APO) | (1) Overseeing and managing the Servicewide privacy program in accordance with applicable Federal and Departmental laws, regulations, policies, and standards; (2) Advising the Service Directorate (including the ACIO) on privacy-related matters, including new or changing privacy laws, regulations, and policies; (3) Developing and implementing Service-specific privacy policies and procedures in alignment with Federal and Departmental laws, regulations, and policies; (4) Serving as a liaison to the Department on privacy-related matters and coordinating with the Department’s Privacy Officer to carry out Departmentwide privacy activities; (5) Leading the Service’s Privacy Breach Response Team and overseeing the Service’s incident response when a privacy breach occurs; (6) Coordinating the assignment of required annual privacy training and RBPT with the Department and providing additional privacy training and resources for Service employees as necessary; (7) Implementing processes and procedures to evaluate and assess the privacy risks associated with the Service’s programs, IMT projects, websites, information collections, information systems, and other applicable initiatives and technologies; (8) Coordinating with other Service officials, including the Service Chief Records Officer, ACISO, Service FOIA Officer, Information Collection Clearance Officer, and Associate Chief Data Officer to incorporate privacy requirements into related information management functional areas; (9) Maintaining an inventory of Service information systems that maintain or manage PII; (10) Working with programs and System Owners across the Service to: (a) Implement appropriate privacy safeguards and controls to protect PII from compromise or unauthorized disclosure; (b) Review applicable contracts and agreements to ensure appropriate privacy provisions and requirements are included; (c) Complete required privacy documentation, including PTAs, PIAs, and SORNs; (d) Provide individuals with access to their PII and the opportunity to correct or amend records within the system of records consistent with the Department’s Privacy Act regulations (43 CFR 2.237-2.250); and (e) Maintain an accounting of disclosures and make them available upon request in accordance with 43 CFR 2.232; (11) Assisting employees with issues and inquiries related to the creation, processing, maintenance, disclosure, and disposal of PII; and (12) Maintaining privacy program information and resources on the Service’s public website and intranet site. |
| F. Privacy Act System Managers and System Owners | (1) Ensuring information systems under their control comply with applicable privacy requirements throughout the systems’ lifecycles; (2) Limiting the creation and maintenance of PII within systems to only what is authorized and necessary to accomplish the Service’s mission; (3) Coordinating with the APO, ACISO, and others to identify, implement, and monitor appropriate system-level privacy controls and safeguards; (4) Working with the APO to create, update, and maintain required privacy documentation for their systems, including PTAs, PIAs, and SORNs; (5) Reporting any suspected or actual privacy incidents or breaches for their systems and coordinating with the Service’s Privacy Breach Response Team to complete any required corrective actions; and (6) Serving as or designating System Managers for systems of records and ensuring they and designated System Managers are aware of their responsibilities within that role. |
| G. Information System Security Officers | (1) Ensuring Federal and agency information security requirements are met for systems with PII within their areas of responsibility and ensuring operational security is maintained, (2) Working with the APO to develop and update PIAs and other privacy documentation to ensure privacy risks are properly identified and assessed, (3) Ensuring the appropriate security and privacy controls are implemented to mitigate risks and protect privacy data, and (4) Ensuring system security and privacy plans accurately reflect the current security posture of the system. |
| H. Managers/supervisors | (1) Completing mandatory annual privacy training, including RBPT; (2) Ensuring employees assigned RBPT in accordance with their duties complete annual privacy training, including RBPT; (3) Ensuring employees under their supervision who have specific privacy-related responsibilities comply with the requirements of this chapter and any related Service privacy policies, procedures, and requirements; and (4) Immediately reporting suspected or confirmed privacy breaches. |
| I. Employees | (1) Following the requirements of this chapter, the procedures in the Service's Privacy Program Handbook, and the applicable privacy laws, regulations, and policies; (2) Keeping PII secure when not in use and disclosing PII to only those who have an official need to know; (3) Immediately reporting any suspected or confirmed privacy breaches; (4) Completing required privacy training, including RBPT if assigned; and (5) Protecting PII in their custody from inadvertent or deliberate disclosure, modification, or destruction to preserve the security and confidentiality of the information. |
PENALTIES FOR MISHANDLING PRIVACY INFORMATION
1.7 What are the penalties associated with the willful or negligent handling of privacy information?
A. Employees or members of the public may bring a civil or criminal action against the Service related to privacy information. This may be related to a variety of Service actions, including, but not limited to, our:
(1) Refusal to amend a record at an individual’s request;
(2) Failure to maintain a record about an individual as necessary to ensure a fair determination related to the person’s qualifications, character, rights, opportunities, or benefits; or
(3) Failure to comply with any requirement in the Privacy Act or the Department’s Privacy Act regulations in a manner that affects the individual adversely.
B. If a court finds in favor of an individual filing a civil or criminal action, the court may:
(1) Order a correction,
(2) Order an amendment or release of records,
(3) Assign criminal penalties,
(4) Assign fines up to $5,000, and
(5) Require the Service to pay attorneys’ fees and court costs.
C. Employees who violate the Privacy Act or the Department’s Privacy Act regulations may face disciplinary action, including written reprimand, suspension, or removal in accordance with 370 DM 752.