Section 208 of the E-Government Act of 2002 (Public Law 107–347) establishes Government-wide requirements for conducting, reviewing, and publishing Privacy Impact Assessments (PIA). OMB Memorandum M-03-22 directs all Federal agencies, including the Department of Defense, to conduct PIAs. DoD Instruction (DoDI) 5400.16 (February 12, 2009) directs all DOD components to analyze and ensure personally identifiable information (PII) in electronic form is collected, stored, protected, used, shared, and managed in a manner that protects privacy.
PIAs are completed on all new or significantly altered DoD Information Systems and electronic collections, including those supported through contracts with external sources that collect, maintain, use, or disseminate PII about members of the public, Federal personnel, contractors, or in some cases foreign nationals in order to:
- Ensure PII handling conforms to applicable legal, regulatory, and policy requirements regarding privacy;
- Determine the need, privacy risks, and effects of collecting, maintaining, using, and disseminating PII in electronic form; and
- Examine and evaluate protections and alternative processes to mitigate potential privacy risks.