Today’s Acronym is PIA (Privacy Impact Assessment)

(Imagen 4)

(Part of the biometric product marketing expert series)

Do U.S. government agencies simply run roughshod over your privacy rights?

Not exactly.

Government agencies are required to issue Privacy Impact Assessments (PIAs) for their projects.

The Federal Bureau of Investigation alone has issued over 60 PIAs.

For example, here is the PIA for CODIS, the Combined National Deoxyribonucleic Acid (DNA) Index System (CODIS).

And if anything needs a PIA, it’s CODIS, since it potentially contains your personally identifiable information…and the personally identifiable information of your relatives.

The PIAs themselves are detailed. The CODIS PIA includes 8 sections with 19 pages of questions and responses. For example, here is the response in section 8 regarding privacy:

The type, quantity, and sources of information collected by FBI CODIS are necessary to identify crime scene offenders, missing persons, or unidentified human remains, or to link multiple crime scenes. Such information is only further disseminated for these purposes. Moreover, NDIS does not store State Identification Number/Universal Control Number or otherwise collect, handle, disseminate, or store contributors’ names. Therefore, CODIS DNA profiles and pedigrees can only be matched to a named individual by the submitting Criminal Justice Agency forensic laboratory, independent of NDIS.

• The privacy risks associated with the collection and maintenance of FBI CODIS information are inaccurate information, unauthorized access, and unauthorized disclosures.
• The privacy risks associated with the access and use of FBI CODIS information are unauthorized access, unauthorized (or overly broad) disclosures, and loss of data.
• The privacy risks associated with the dissemination of FBI CODIS information are the risks of unauthorized disclosures and loss of data.

The risks of unauthorized access, unauthorized disclosures, loss of data and inaccurate information are mitigated by the quality assurance standards promulgated by the FBI pursuant to the Federal DNA Identification Act. These risks are further mitigated by the system, physical access, network-infrastructure, auditing and quality assurance controls, as described more specifically in Sections 6.1 and 6.2, which are in compliance with FIPS Publication 199, as applicable.

The risk of inaccurate information is also specifically mitigated through the identity verification process performed by participating Criminal Justice Agency forensic laboratories to confirm a potential match. The identity must be confirmed prior to the disclosure of any personally identifiable information to the law enforcement entity who submitted the DNA sample.

Lastly, notice is provided as described in Section 5.1.