Privacy Threshold Assessment & Privacy Impact Assessment

info Purpose

A Privacy Threshold Assessment (PTA) and a Privacy Impact Assessment (PIA) are part of assessing the impact on individual privacy of state information assets and record systems that collect or maintain personal information and identifying the strategies to mitigate such impact.

The purpose of the PTA and PIA process is to assist information owners, program managers, and system owners in incorporating privacy protections into developing and managing state information assets and records. The PIA analysis is organized to align with the Fair Information Practices.

Fair Information Practices Principles

The Information Practices Act is based on principles that express individuals' rights to control their personal information and organizations' obligations to respect those rights: Transparency, Purpose Specification, Collection Limitation, Use Limitation, Individual Participation, Data Quality, Security, and Accountability.

scope Scope

The requirements herein apply to all entities as mandated in the State Administrative Manual (SAM) 5310.8 Privacy Threshold and Privacy Impact Assessments.

Compliance Requirements

gavel Compliance

Government Code (GC) Section 11549.3 empowers the Office of Information Security (OIS) to create, issue, and maintain policies, standards, and procedures; oversee information security risk management for agencies and state entities; provide information security and privacy guidance; and ensure compliance with State Administrative Manual (SAM) Chapter 5300 and Statewide Information Management Manual (SIMM) section 5300.

Entities must adhere to OIS-issued information security and privacy policies and all relevant laws, regulations, and standards governing their agency or entity. Full compliance is expected.

people Responsibilities

I. Privacy Coordinator Responsibilities

Lead information owners, project managers, and other key stakeholders in conducting and documenting the PIA process
Keep a record of PTAs and PIAs conducted
Maintain records including name of system, completion date, and contact information

II. Information Owner Responsibilities

Collaborate with the privacy coordinator to perform the assessment
Document the PTA and PIA in compliance with standard requirements
Ensure implementation of mitigation strategies identified in the process

III. Additional Stakeholder Responsibilities

Key stakeholders collaborate in the PTA and PIA process
Legal counsel, IT staff, and others provide information as needed for the PIA

assignment PTA and PIA Requirements

Entities must conduct PTAs for all proposed and modified information systems, paper or electronic. PIAs are required for information assets and records systems that collect or maintain personal information on individuals.

I. PTAs

A PTA is the first step in determining whether personal information is being collected, used, maintained, or shared within the system, process, project, or program under development.

If all answers to the PTA questions are "NO," a PIA is not required.

If any answers are "YES," a PIA must be completed.

II. PIAs

A PIA should be reviewed and updated whenever a system, process, project, or program undergoes a major change in technology or business practices.

The PIA process has two goals:

Determine the privacy risks and effects of collecting, maintaining, using, and disclosing personal information
Evaluate protections and alternative processes for handling personal information to eliminate or mitigate potential privacy risks

description Access PTA/PIA Form

Ready to begin your Privacy Threshold Assessment and Privacy Impact Assessment? Click below to start the process.

Type of Information	Yes	No
Name, Former Name, or Alias
Date of Birth
Social Security Number (SSN)
Truncated SSN
Driver's License Number or State Identification Card Number
Financial Data (e.g., account number, credit/debit card numbers, etc.)
Health Insurance Information (e.g., including policy number, subscriber identifier, medical ID, or any information in an individual's application or claims history, including appeals records, etc.)
Medical Information (e.g., medical history, mental and physical condition, or medical treatment or diagnosis, etc.)
Username/ID, email address, password, or security question and answer
Physical Description
Biometric Data (e.g., fingerprints, iris scans, DNA, photographic facial images, etc.)
Education History
Employment History
Criminal History
Information or data collected through the use or operation of the automated license plate recognition system
Genetic Data
Other personal information (e.g., home address, email address, mother's maiden name, home phone number, personal cell phone number, place of birth, etc.).

Family	Control
Access Control (AC)	AC-20
Assessment, Authorization, and Monitoring	CA-2
Audit and Accountability	AU-2
Awareness and Training (AT)	AT-1, AT-2, AT-3, AT-3(5), AT-6
Incident Response (IR)	IR-8, IR-8(1)
Media Protection (MP)	MP-6
Personally Identifiable Information Processing and Transparency (PT)	PT-2, PT-3, PT-4, PT-5, PT-5(1), PT-5(2), PT-6
Personnel Security (PS)	PS-1, PS-2, PS-6, PS-8
Planning (PL)	PL-4
Program Management (PM)	PM-3, PM-5(1), PM-18, PM-19, PM-20, PM-21, PM-22, PM-24, PM-25, PM-26, PM-27
Risk Assessment (RA)	RA-3, RA-8
System and Services Acquisition	SA-1, SA-4, SA-8(33), SA-9
System and Information Integrity	SI-1, SI-12, SI-12(1), SI-12(2), SI-12(3), SI-18, SI-18(4), SI-14(5)

Reference	Article
5310-A	Privacy Statement and Notices Standard
5310-B	Privacy Individual Access Standard
GenAI Guidelines

Reference	Article
	Incident Response Policy
	Risk Management Policy
	Security Variance Policy
	Security Variance Process

Commercial data	Commercial data includes information from data aggregators where the information was originally collected by the private organization for non-governmental purposes, such as marketing or credit reporting.
Publicly available data	Publicly available data includes information obtained from the internet, news feeds, or from state or local public records, such as court records, where the records are received directly from the state or local agency, rather than from a commercial data aggregator.

Privacy Threshold Assessment
& Privacy Impact Assessment

info Purpose

Fair Information Practices Principles

scope Scope

Compliance Requirements

gavel Compliance

people Responsibilities

I. Privacy Coordinator Responsibilities

II. Information Owner Responsibilities

III. Additional Stakeholder Responsibilities

assignment PTA and PIA Requirements

I. PTAs

II. PIAs

description Access PTA/PIA Form

Project/Process/System/Program and Data/Information

Project Contact Information

Privacy Threshold Assessment

Will the system collect, use, maintain, or share any of the following types of personally identifiable information as it relates to an individual?

4.1 Privacy Program Administration

4.2 Collection

4.3 Use

4.4 Maintenance and Storage

4.5 Disclose/Share

4.6 Destruction/Disposal

Authorization and Acceptance

verified_user Privacy Threshold / Impact Assessment Authorization and Acceptance

gavel Authority

NIST SP 800-53 and FIPS Reference

library_books Related SIMM and Guideline References

Related Policies, Procedures and Standards

Revision History

Definitions of Key Terms

Additional Information: