; August FROM Alison McNally Under Secretary for
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

August FROM Alison McNally Under Secretary for

VIEWS: 6 PAGES: 4

  • pg 1
									                                           The Under Secretary for Finance and Administration
                                                                       Smithsonian Institution
                                                                Washington, DC 20013-7012
                                                                             Privacy@si.edu




                                    August 3, 2011


FROM:              Alison McNally
                   Under Secretary for Finance and Administration

                   Rosalind Kennedy
                   Smithsonian Privacy Officer

SUBJECT:           Smithsonian Privacy Program Guidance


I.     Purpose:

       The purpose of this Memorandum is to establish the roles and responsibilities
associated with the Smithsonian privacy program and the Smithsonian Data
Governance Principles, which will serve as the foundation for developing and
implementing privacy policy and procedures. This guidance applies to all Smithsonian
museums, research centers, and offices, including subordinate organizations,
employees, Fellows, research associates, contractors, and volunteers (collectively
referred to herein as Smithsonian staff).

II.   Roles and Responsibilities:

      The Smithsonian Privacy Officer (SPO) is responsible for developing and
      monitoring implementation of privacy policies and procedures to support a
      privacy program at the Smithsonian. The SPO will conduct privacy reviews of
      Smithsonian programs and initiatives that collect, maintain, and disseminate
      personally identifiable information (PII);
      The Office of General Counsel (OGC) provides general legal advice on privacy
      matters;
      The Office of the Chief Information Officer (OCIO) is responsible for conducting
      security reviews of all information technology systems, including, websites and
      applications that collect, maintain, and disseminate PII;
      The Office of Protection Services (OPS) is responsible for monitoring the
      physical security of Smithsonian systems and records;
      Smithsonian Institution Archives (SIA) carries out a program of records
      management services for Smithsonian offices, advising on the disposition of
      records and pertinent documentary materials, and operates a Records Center for
      the temporary storage of scheduled records;
      The Office of Contracting and Personal Property Management (OCon&PPM) is
      responsible for developing and implementing policies and procedures for the

                                          1
                                                              The Under Secretary for Finance and Administration
                                                                                          Smithsonian Institution
                                                                                   Washington, DC 20013-7012
                                                                                                Privacy@si.edu




         control and proper record keeping of all Smithsonian personal property, including
         items used to collect, maintain, and disseminate PII;
         The Office of Human Resources (OHR) is responsible for providing policy
         guidance and assistance to Smithsonian management and staff concerning
         personnel matters; and
         Smithsonian Units, Directors, and Smithsonian staff are responsible for ensuring
         that the Smithsonian Data Governance principles are considered whenever
         Smithsonian initiatives raise privacy concerns or involve the collection,
         maintenance, and dissemination of PII.

III.     Application of the Smithsonian Data Governance Principles:

       The Smithsonian Data Governance Principles govern the collection,1
maintenance,2 and dissemination3 of PII. PII refers to information about individuals
maintained by the Smithsonian, including information which can be used to distinguish
or trace an individual’s identity and any other information that is linked or linkable to an
individual, such as medical, educational, financial or employment information.
Examples of PII include, but are not limited to:

              General Personal Data: full name, maiden name, alias, and full date of birth;
              Address Information: street address or email address;
              Personal Identification Number: Social Security Number, passport number,
              driver’s license number, taxpayer identification number, financial account
              number, or credit card number;
              Security Information: password or mother’s maiden name; and
              Personal Characteristics: photographs that identify individuals, fingerprints,
              handwriting, and biometric data such as retina scans, voice signatures, and
              facial geometry.

        As a public trust operating on behalf of the American public to carry out its
mission “to increase and diffuse knowledge,” the Smithsonian must collect, maintain,
and disseminate PII in a manner that does not adversely impact the integrity of, or the
public’s confidence in, the Smithsonian, its work, or its mission. Establishing the
Smithsonian Data Governance Principles will ensure that the Smithsonian collects,
maintains, and disseminates PII in a manner that allows it to fulfill its mission while
protecting privacy. These principles will apply to all Smithsonian programs and

1
  Collection refers to gathering or grouping PII. For example, if a unit requests that individuals provide an email
address to receive an electronic newsletter, the unit is collecting PII. If a unit requests that visitors complete forms
during visits (e.g., name, home address, and email address), the unit is collecting PII.
2
  Maintenance refers to keeping, preserving, or saving PII (e.g., collecting names and email addresses and storing
the information in a computer database or a file cabinet).
3
  Dissemination refers to sharing PII (e.g., sharing names and email addresses with another Smithsonian Institution
unit, a third-party marketing company, a federal agency, etc.).

                                                            2
                                              The Under Secretary for Finance and Administration
                                                                          Smithsonian Institution
                                                                   Washington, DC 20013-7012
                                                                                Privacy@si.edu




initiatives which collect, maintain, and disseminate PII.

IV. The Smithsonian Data Governance Principles:

       The Smithsonian adopts the following eight (8) principles and seeks to apply
them to all Smithsonian programs and initiatives which collect, maintain, and
disseminate PII. The Smithsonian Data Governance Principles must be considered
whenever Smithsonian Institution programs or initiatives raise privacy concerns or
involve the collection, maintenance, and dissemination of PII.

                     Transparency: The Smithsonian shall be transparent by providing
                     notice to individuals regarding the collection, maintenance, and
                     dissemination of PII.

                     Individual Participation: The Smithsonian shall seek individual
                     consent for the collection, maintenance, and dissemination of PII.
                     The Smithsonian should provide mechanisms for correction and
                     redress of grievances concerning the Smithsonian’s use of PII.

                     Purpose Specification: The Smithsonian shall specifically
                     articulate the purpose(s) for which the PII is intended to be used.

                     Data Minimization: The Smithsonian shall collect only the
                     information that is directly relevant to achieving stated purposes,
                     and shall retain that information only as long as necessary to
                     achieve those purposes.

                     Use Limitation: The Smithsonian shall use PII only for the
                     purpose(s) specified in the notice. Sharing of information outside
                     the Smithsonian should only be for a purpose specified in the
                     notice.

                     Data Quality and Integrity: The Smithsonian shall take
                     reasonable steps to ensure that the PII it collects, maintains, and
                     disseminates is accurate and complete.

                     Security: The Smithsonian shall take reasonable steps to ensure
                     that all PII is secure from unauthorized access, use, destruction, or
                     disclosure.

                     Accountability and Auditing: The Smithsonian shall be
                     accountable for complying with these principles, providing training
                     to all employees, volunteers, interns, researchers, and contractors
                                             3
                                           The Under Secretary for Finance and Administration
                                                                       Smithsonian Institution
                                                                Washington, DC 20013-7012
                                                                             Privacy@si.edu




                   who collect, maintain, and disseminate PII, and for auditing the use
                   of PII to demonstrate compliance with these principles and all
                   applicable privacy protection requirements.

       Questions concerning the Smithsonian Data Governance Principles should be
directed to the SPO at privacy@si.edu.




                                          4

								
To top