TREASURY DIRECTIVE 25-07

DATE: January 11, 2022

SUBJECT: Privacy and Civil Liberties Impact Assessment

  1. PURPOSE. This Directive states policy and assigns responsibilities for implementing the privacy provisions of the E-Government Act of 2002 (the Act). The purpose of this Directive is to ensure sufficient protections for personally identifiable information about the public that the Department of the Treasury, including its Bureaus and Offices (collectively “Treasury” or “the Department”), collects, maintains, and disseminates as necessary to perform its mission."
  2. SCOPE. This Directive applies to all bureaus, offices, and organizations in the Department of the Treasury that are responsible for conducting Privacy and Civil Liberties Threshold Assessments (PCLTAs) and Privacy and Civil Liberties Impact Assessments (PCLIAs).
  3. DEFINTIONS.
    1. Bureau Heads. The individual responsible for leading each bureau, including the Treasury Inspector General, the Treasury Inspector General for Tax Administration, the Treasury Special Inspector General for the Troubled Asset Relief Program, the Treasury Special Inspector General for Pandemic Recovery, and the Assistant Secretary for Management and Chief Financial Officer (for Departmental Offices). The authority of the Inspectors General is set forth in Section 6 of the Inspector General Act, the Internal Revenue Service Restructuring and Reform Act, Section 5231 of the Emergency Economic Stabilization Act, and Section 4018 of the Coronavirus Aid, Relief, and Economic Security Act, and defined in Treasury Order 114-01 (OIG) and Treasury Order 115-01 (TIGTA), or successor orders. The provisions of this Directive shall not be construed to interfere with that authority.
    2. Bureau Privacy and Civil Liberties Officer (BPCLO). An individual assigned by each Treasury Bureau Head to serve as the point of contact for matters related to all bureau privacy and civil liberties issues, including PCLTAs and PCLIAs.
    3. Individual. A citizen of the United States or an alien lawfully admitted for permanent residence.
    4. Personally Identifiable Information (PII). Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information linked or linkable to a specific individual.
    5. Information Technology (IT) systems. As defined in the Clinger-Cohen Act, any equipment, software, or interconnected system or subsystem that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.
    6. Civil Liberties. In the context of a PCLTA/PCLIA, means individual rights protected by the Bill of Rights (the first ten amendments to the U.S. Constitution) to the extent they are potentially affected by Treasury’s collection, use, maintenance, and disclosure of PII.
    7. Privacy and Civil Liberties Impact Assessment (PCLIA). An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII maintained in an electronic information system, and (iii) to examine and evaluate privacy controls for an information system and alternative processes for handling PII to mitigate potential privacy concerns.
    8. Privacy and Civil Liberties Threshold Assessment (PCLTA). A written risk assessment a system owner is required to complete: (1) when it is unclear if a PCLIA is required for new IT; (2) prior to enhancement or modification of existing IT for which a PCLIA was not previously conducted (e.g., to determine if the modification will result in PII being added or created); and (3) to document a Reviewing Official’s determination that a PCLIA is not required.
    9. Privacy controls. This encompasses the administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks.
    10. Reviewing Official. The bureau BPCLO or a designated bureau (or DO) official who reviews and approves PCLTAs and PCLIAs. This person must be someone other than the official procuring the system or conducting the PCLTA or PCLIA.
    11. System developer. Personnel who design, develop, and integrate IT for the system owner. The system developers must consult with the relevant bureau BPCLO to address whether the implementation of the System Owner’s requirements presents any threats to privacy.
    12. System of Records Notice (SORN). The Privacy Act requires that each agency that maintains a system of records must publish a SORN in the Federal Register that identifies the purpose for which information about an individual is collected, from whom and what type of information is collected, how the information is shared with individuals and organizations outside/external to Treasury (routine uses), and what an individual must do if they want to access and/or correct any records Treasury maintains about them.
    13. System owner. The Treasury bureau, office, or program official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of a Treasury IT system. This person is typically the official in the program office who is responsible for the use of the system and who implements the legal information resources management requirements of the Department, such as per the guidance contained in Office of Management and Budget (OMB) Memorandum 03-22, dated September 26, 2003.
  4. POLICY. It is the policy of the Department of the Treasury to:
    1. conduct a PCLTA when required by this Directive or applicable bureau policy;
    2. conduct a PCLIA before developing or procuring IT systems or initiating projects that collect, maintain, or disseminate PII received from or about members of the public or received from third parties (including other federal agencies) about members of the public;
    3. conduct a PCLIA when issuing new or updated rulemaking that affects PII;
    4. ensure that privacy and civil liberties impact is assessed in a PCLIA or Joint Information Collection Request (ICR)/PCLIA when initiating, consistent with the Paperwork Reduction Act (PRA), a new electronic collection of PII for ten or more persons (excluding agencies, instrumentalities, or employees of the federal government);
    5. update PCLIAs where modification of a Treasury IT system creates new privacy risks affecting the collection, processing, storage, access to, transmission, and/or disposition of PII;
    6. update PCLIAs to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of PII about members of the public and ensure that PCLIAs are evaluated to determine if an update is required at least once every three years or sooner as necessary to meet continuous monitoring requirements (including, where appropriate, redating the PCLIA to memorialize completion of an evaluation and determination that a PCLIA update is unnecessary);
    7. make the PCLIA publicly available in plain language on the bureau website, except when publication of the PCLIA or portions thereof will create a security risk that cannot be remedied (e.g., through redaction or summarizing content), reveal classified information (i.e., national security), or information that is potentially damaging to national interest, a law enforcement effort or a competitive business interest;
    8. protect the PII collected in federal records and on federal websites pursuant to all statutes relating to agency use, collection, and disclosure of such information; and
    9. require appropriate clauses in agreements and discuss associated risks in the PCLIA when the bureau or office provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function as required by 5 USC 552a, subsection (m)(1).
  5. RESPONSIBILITIES.
    1. The Assistant Secretary for Management (ASM), as Treasury’s Chief Privacy and Civil Liberties Official and Senior Agency Official for Privacy, shall be responsible and accountable for ensuring:
      1. 1) Bureau heads appoint a BPCLO and qualified agency personnel to perform PCLTAs and PCLIAs;
      2. 2) development, implementation, and maintenance of an agency-wide privacy program to ensure compliance with all applicable statutes, regulations, and policies regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and IT systems;
      3. 3) development and evaluation of privacy policy, and management of privacy risks;
      4. 4) PCLIAs are used to identify unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to the use of Social Security numbers as a personal identifier;
      5. 5) PCLIAs (and PCLTAs, when required) are conducted when developing, procuring, or using Treasury IT, in accordance with the e-Government Act;
      6. 6) PCLIAs are drafted with sufficient clarity and specificity to demonstrate that the agency fully considered privacy and incorporated appropriate privacy controls from the earliest stages of the agency activity and throughout the information life cycle; and
      7. 7) privacy risks are cost-effectively managed and risks (as identified in part, in the PCLIA) are reduced to an acceptable level.
    2. The Deputy Assistant Secretary for Privacy, Transparency, & and Records (DAS PTR), the principal advisor to the ASM on Privacy and Civil Liberties issues, shall:
      1. 1) ensure Departmental compliance with the Privacy Act, Section 208 of the e-Government Act, OMB Memorandum 03-22, and other privacy-related OMB memorandums and circulars;
      2. 2) ensure that the DO BPCLO performs the duties required in this directive;
      3. 3) act as the Reviewing Official for Departmental Offices’ PCLTAs and PCLIAs;
      4. 4) ensure the creation of Departmental PCLTA/PCLIA templates, make them available for bureau use, and provide PCLIA training, as needed;
      5. 5) ensure the review of bureau PCLTA/PCLIA templates (if different from the Departmental template) and policies, and provide feedback to Treasury bureaus on PCLIA drafts, upon request; and
      6. 6) establish a process conducting PCLIA compliance reviews, provide policy guidance and direction on privacy protection policy implementation matters as they relate to compliance with the Privacy Act and Section 208 of the e-Government Act, and coordinate the annual report to OMB on the Department's compliance with Section 208 of the e-Government Act.
    3. The PTR Director for Privacy and Civil Liberties (PCL) shall:
      1. 1) serve as the BPCLO for Departmental Offices; and
      2. 2) act on behalf of and report to the DAS PTR, as directed, on matters relating to the implementation of the Privacy Act, Section 208 of the e-Government Act, OMB Memorandum 03-22, and other privacy-related OMB memorandums and circulars.
    4. The Bureau Heads shall:
      1. 1) designate a BPCLO (and provide that person’s name and contact information to PTR; updating as necessary) and qualified agency personnel to implement Section 208 of the Act, including the drafting, review and approval of PCLTAs and PCLIAs for IT systems and information collections before developing, or procuring such systems or initiating any new information collections containing PII from or about the public and require meaningful participation in the PCLIA process from the BPCLO and stakeholders in all relevant functional areas, including, the program managers, system owners, the system developer, information technology experts, IT security officials, legal counsel, and other relevant agency officials.
      2. 2) ensure that the DO BPCLO performs the duties required in this TD;
      3. 3) oversee the evaluation of the privacy controls for IT systems that maintain PII and ensure that the PII is acquired, developed, enhanced, maintained, and disposed of in accordance with Treasury and Bureau requirements; and
      4. 4) ensure that bureau PCLIAs are made publicly available in plain language on the bureau’s public website (except as otherwise stated in this directive) and internally available within Treasury as required for IT investment and other purposes.
    5. The Bureau Privacy and Civil Liberties Officer (BPCLO) shall:
      1. 1) serve as the point of contact for matters related to bureau privacy and civil liberties, including PCLTA and PCLIA issues;
      2. 2) identify and engage all bureau stakeholders whose input is necessary to ensure complete bureau review and comment on proposed data calls and document reviews to assist PTR and Treasury in meeting all statutory, Office of the Inspector General, OMB, Government Accountability Office (GAO), or other reporting requirements, including those related to PCLTAs and PCLIAs;
      3. 3) maintain day-to-day oversight and responsibility for ensuring continued bureau privacy and civil liberties policy implementation, training, monitoring, and compliance;
      4. 4) provide guidance and training, as needed, to employees and contractors who conduct PCLTAs/PCLIAs and make bureau PCLIAs publicly available in plain language on the bureau’s public website (except as otherwise stated in this directive);
      5. 5) facilitate bureau subcomponents in the development and implementation of policies and procedures necessary to address unique bureau privacy and civil liberties issues, including issues identified during the PCLTA or PCLIA processes;
      6. 6) routinely review bureau privacy and civil liberties procedures, including those related to PCLTAs/PCLIAs, to ensure they are current, comprehensive, and fully comply with applicable law and policy; and
      7. 7) oversee mitigation and remediation of reported PII breaches and violations of Treasury and bureau PII collection, use, access, and disclosure policies.
  6. AUTHORITIES.
    1. Consolidated Appropriations Act of 2005, Public Law 108-447, Division H, Section 522.
    2. E-Government Act of 2002, Public Law 107-347, Section 208, and Title III, the Federal Information Security Management Act.
    3. Clinger-Cohen Act, Public Law 104-106, Division E.
    4. Paperwork Reduction Act of 1995, Public Law 104-13.
    5. Privacy Act of 1974, Public Law 93-579, as amended.
    6. Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended.
    7. Treasury Order 102-25, “Delegation of Authority Concerning Privacy and Civil Liberties.”
  7. REFERENCES.
    1. OMB Circular A-108, “Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act.”
    2. OMB Circular A-130, “Management of Federal Information Resources.”
    3. OMB M 16-24, “Role and Designation of the Senior Agency Official for Privacy.”
    4. OMB M-16-17, “OMB Circular A-123, “Management’s Responsibility for Enterprise Risk Management and Internal Control.”
    5. “OMB’s Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988.”
    6. OMB M-03-22, “OMB Guidance for Implementing the Privacy Provisions of the EGovernment Act of 2002.”
    7. TD 80-05, “Records and Information Management Program.”
    8. TD P 80-05, “Records and Information Management Manual.”
    9. TD P 84-04, “Information System Life Cycle Manual.”
    10. TD P 85-01, “Treasury Information Technology Security Program.”
  8. OFFICE OF PRIMARY INTEREST. Office of the Assistant Secretary for Management, and the Office of Privacy, Transparency, & Records.

 

/S/
Trevor Norris
Acting Assistant Secretary for Management