Completing the Privacy Impact Assessment (PIA)

PIAs provide a documented process for identifying and protecting personally identifiable information (PII). They ensure that the government has established necessary safeguards for PII processed, stored, and collected in its information systems.  

All NCI PIAs should be completed with assistance from the NCI Privacy Coordinator, for technical, security, or website-hosting information required for PIAs, contact nciirm [at] mail.nih.gov.

Systems requiring a PIA inlcude:

  • All FISMA-reportable electronic systems (these include General Support Systems, Major Applications, and Minor Standalone Applications owned/operated by the NIH or on behalf of the agency (includes both internally or externally hosted, and cloud hosted) (Consult with your IC ISSO to determine if your system is FISMA-reportable);
  • All Uses of Third-party websites and applications* (TPWA). Visit the HHS TPWA Terms of Service page for more information. Contact the NCI Privacy Coordinator to find out if the TPWA you wish to use already has an approved PIA on file, since each Institute or Center is only required to have one PIA for each unique TPWA (e.g., for Facebook);
  • All Surveys that contain/process PII and Sensitive Information (these include online surveys, employee surveys that ask non-work related information, and those included as part of an OMB request for clearance under the Paperwork Reduction Act to survey more 10 or more members of the public in order to evaluate a program, etc.)

*  TPWAs are web-based technologies that are not exclusively operated or controlled by a government entity, or web-based technologies that involve significant participation of a non-government entity. Often these technologies are located on a ".com" website or other location that is not part of an official government domain. However, third-party applications can also be embedded or incorporated on an agency’s official website.

PIA resources