Completing the Privacy Impact Assessment (PIA)

PIAs provide a documented process for identifying and protecting personally identifiable information (PII). They ensure that the government has established necessary safeguards for PII processed, stored, and collected in its information systems.  

All NCI PIAs should be completed with assistance from the NCI Privacy Coordinator, for technical, security, or website-hosting information required for PIAs, contact nciirm [at] mail.nih.gov.

Systems requiring a PIA inlcude:

  • Federal Information Security Modernization Act (FISMA) of 2014-reportable systems operated and maintained by the federal government (contact the NCI ISSO to determine whether your system is FISMA reportable)
  • FISMA-reportable systems operated and maintained by a contracted company on behalf of the federal government
  • FISMA-reportable systems that have not been previously assessed
  • New systems in development
  • Systems that have a PIA but have undergone major change
  • Third-party websites and applications* (TPWA) require a special version of the PIA designed only for TPWAs. Visit the HHS TPWA Terms of Service page for more information. Contact the NCI Privacy Coordinator to find out if the TPWA you wish to use already has an approved PIA on file, since each Institute or Center is only required to have one PIA for each unique TPWA (e.g., for Facebook)

*  TPWAs are web-based technologies that are not exclusively operated or controlled by a government entity, or web-based technologies that involve significant participation of a non-government entity. Often these technologies are located on a ".com" website or other location that is not part of an official government domain. However, third-party applications can also be embedded or incorporated on an agency’s official website.

PIA resources