Page:United States Statutes at Large Volume 116 Part 4.djvu/494

 116 STAT. 2922 PUBLIC LAW 107-347—DEC. 17, 2002 imposed on, 10 or more persons, other than agencies, instrumentahties, or employees of the Federal Government. (B) AGENCY ACTIVITIES. — To the extent required under subparagraph (A), each agency shall— (i) conduct a privacy impact assessment; (ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and Public (iii) if practicable, after completion of the review i»^rmation. under clause (ii), make the privacy impact assessment Dublicatim ^'^^' publicly available through the website of the agency, publication in the Federal Register, or other means. (C) SENSITIVE INFORMATION.— Subparagraph (B)(iii) may be modified or waived for security reasons, or to protect classified, sensitive, or private information contained in an assessment. (D) COPY TO DIRECTOR.— Agencies shall provide the Director with a copy of the privacy impact assessment for each system for which funding is requested. (2) CONTENTS OF A PRIVACY IMPACT ASSESSMENT.— (A) IN GENERAL.—The Director shall issue guidance to agencies specifying the required contents of a privacy impact assessment. (B) GUIDANCE.— The guidance shall— (i) ensure that a privacy impact assessment is commensiwate with the size of the information system being assessed, the sensitivity of information that is "^ in an identifiable form in that system, and the risk of hzirm from unauthorized release of that information; and (ii) require that a privacy impact assessment address— (I) what information is to be collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; (VI) how the information will be secured; and (VII) whether a system of records is being created under section 552a of title 5, United States Code, (commonly referred to as the "Privacy Act"). (3) RESPONSIBILITIES OF THE DIRECTOR.—The Director shall— Guidelines. (A) develop policies and guidelines for agencies on the conduct of privacy impact assessments; (B) oversee the implementation of the privacy impact assessment process throughout the Government; and (C) require agencies to conduct privacy impact assessments of existing information systems or ongoing collections of information that is in an identifiable form as the Director determines appropriate. (c) PRIVACY PROTECTIONS ON AGENCY WEBSITES. —

�