Purpose
A Privacy Threshold Assessment (PTA) and a Privacy Impact Assessment (PIA) are part of assessing the impact on individual privacy of state information assets and record systems that collect or maintain personal information and identifying the strategies to mitigate such impact.
The purpose of the PTA and PIA process is to assist information owners, program managers, and system owners in incorporating privacy protections into developing and managing state information assets and records. The PIA analysis is organized to align with the Fair Information Practices.
Fair Information Practices Principles
The Information Practices Act is based on principles that express individuals' rights to control their personal information and organizations' obligations to respect those rights: Transparency, Purpose Specification, Collection Limitation, Use Limitation, Individual Participation, Data Quality, Security, and Accountability.
Scope
The requirements herein apply to all entities as mandated in the State Administrative Manual (SAM) 5310.8 Privacy Threshold and Privacy Impact Assessments.
Compliance Requirements
Government Code (GC) Section 11549.3 empowers the Office of Information Security (OIS) to create, issue, and maintain policies, standards, and procedures; oversee information security risk management for agencies and state entities.
Compliance
Government Code (GC) Section 11549.3 empowers the Office of Information Security (OIS) to create, issue, and maintain policies, standards, and procedures; oversee information security risk management for agencies and state entities; provide information security and privacy guidance; and ensure compliance with State Administrative Manual (SAM) Chapter 5300 and Statewide Information Management Manual (SIMM) section 5300.
Entities must adhere to OIS-issued information security and privacy policies and all relevant laws, regulations, and standards governing their agency or entity. Full compliance is expected.
Responsibilities
I. Privacy Coordinator Responsibilities
- Lead information owners, project managers, and other key stakeholders in conducting and documenting the PIA process
- Keep a record of PTAs and PIAs conducted
- Maintain records including name of system, completion date, and contact information
II. Information Owner Responsibilities
- Collaborate with the privacy coordinator to perform the assessment
- Document the PTA and PIA in compliance with standard requirements
- Ensure implementation of mitigation strategies identified in the process
III. Additional Stakeholder Responsibilities
- Key stakeholders collaborate in the PTA and PIA process
- Legal counsel, IT staff, and others provide information as needed for the PIA
PTA and PIA Requirements
Entities must conduct PTAs for all proposed and modified information systems, paper or electronic. PIAs are required for information assets and records systems that collect or maintain personal information on individuals.
I. PTAs
A PTA is the first step in determining whether personal information is being collected, used, maintained, or shared within the system, process, project, or program under development.
If all answers to the PTA questions are "NO," a PIA is not required.
If any answers are "YES," a PIA must be completed.
II. PIAs
A PIA should be reviewed and updated whenever a system, process, project, or program undergoes a major change in technology or business practices.
The PIA process has two goals:
- Determine the privacy risks and effects of collecting, maintaining, using, and disclosing personal information
- Evaluate protections and alternative processes for handling personal information to eliminate or mitigate potential privacy risks
Access PTA/PIA Form
Ready to begin your Privacy Threshold Assessment and Privacy Impact Assessment? Click below to start the process.