Introduction

A Privacy Impact Assessment (PIA) is the process that one goes through to determine if personally identifiable private information is being appropriately safeguarded. Aside from financial losses and losses to life, there are also privacy considerations for information technology systems. Some federal agencies have databases with highly sensitive information such as medical records, tax records, and information about private citizens. The Privacy Act of 1974 requires each federal agency to establish:

appropriate administrative, technical and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual on whom information is maintained. ^[1]

Agencies need to establish rules of conduct for systems developers as well as penalties for noncompliance. Privacy Impact Assessments of public Web sites and sensitive systems need to be conducted to ascertain if individuals social security numbers, gender, race, date of birth, and financial status are subject to exposure. The point of a Privacy Impact Assessment is to determine if systems, Web sites, and applications comply with all federal laws, regulations, and security policies. Threats to privacy and mitigating factors should also be noted in a PIA. The assets that store the data subject to privacy policy provisions and laws should be determined and understood.