Critical analysis needed 1
Privacy Impact Assessments (PIA)
A privacy impact assessment (PIA) is a decision tool that can analyze about how personal information is collected, used, and maintained in a program. The purpose of a PIA is to prove that system owners or program managers consciously implement privacy protections throughout their development life cycle for their programs. In fact, the E-Government Act of 2002 requires for program managers to implement a PIA because it can help improve management and promotion (Privacy Impact Assessments, n.d). A PIA is a great tool that can be used to increase communication on how we can handle and address many of the privacy concerns that are still being faced today.
There are a variety of practices that a federal IT manager can be include when they are preparing to implement a PIA. One practice a federal IT manager can implement is to determine when a PIA should be conducted. In fact, it is recommended that a PIA should be conducted for new systems and if a major incident occurs on a system. Another practice that an IT manager should implement is by assigning roles and responsibilities for the necessary staff that will be completing the PIA. It is important for the federal IT manager to make sure that each staff member needs to understand their roles and duties to make sure they complete the PIA properly without losing any confidential information. A third practice that a federal IT manager should also include is to familiarize themselves about the process, form, and tools when preparing a PIA. It is important for an IT manager to familiarize themselves when preparing a PIA because it will be less time consuming and easier to mitigate potential privacy risks while handling the confidential information (McCallister, E., Grance, T., & Scarfone, K, 2010). These are some of the practices a federal IT manager should look into when they prepare their own PIA.
However, there are also worst practices that are still around that a federal IT manager should not implement when they are protecting the privacy of individuals. One practice that should not be recommended is the use of data mining. Many data mining systems that are used do not provide the necessary privacy protections, leaving an organization at risk of losing a person’s personal information by being compromised from a malicious user. It is recommended that the data mining system should be deactivated until a PIA is approved that includes the system as a component being used in the PIA (Wilshusen, G. C, 2012). Another worst practice that should not be used is the use of excessive data collecting. With an increase of corporations collecting private information from individuals, it can also increase the risk of potential data breaches that can occur. It is recommended for an IT manager to limit the collection of personal information and to limit the time of how the collected data is retained. Lastly, one worst practice that an IT manager should not implement is the use of swapping data. Swapping data is where a user replaces certain parts of the records with another similar record. This practice is ineffective and it is not recommended to be implemented due to the privacy risks that can occur by including false information about an individual.
A PIA is an excellent decision tool that is used by a variety of government agencies to identify and mitigate any privacy risks from their information systems that collect personal information of individuals. In addition, a PIA also provides cost effective solutions that address privacy issues that may arise during the assessment. Federal agencies that conduct PIA’s are able to support good governance and proper decision making to ensure that the personal information is being handled properly. A PIA is an excellent decision tool that is able to build trust and confidence for individuals that may have privacy concerns on how federal agencies are managing the data they collect.
References
McCallister, E., Grance, T., & Scarfone, K. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). 1-59. Retrieved May 23, 2016, from http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
Privacy Impact Assessments. (n.d.). Retrieved May 23, 2016, from https://www.ftc.gov/site-information/privacy-policy/privacy-impact-assessments
Wilshusen, G. C. (2012). Federal Law Should Be Updated to Address Changing Technology Landscape. 1-18. Retrieved May 23, 2016, from http://www.gao.gov/assets/600/593146.pdf