FERC is committed to ensuring compliance with all privacy laws, regulations, and policies related to the protection of personally identifiable information (PII) entrusted to this Commission by its customers, the public and its employees. The Senior Agency Official for Privacy (SAOP) is responsible for maintaining agency-wide compliance with all applicable statutes, regulations, and policies regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII.
The following is a summary of FERC’s privacy compliance process and documentation
Privacy Threshold Analysis (PTA)
FERC’s privacy compliance process begins with completing a PTA on all Federal Information Security Management Act (FISMA) reportable systems. A PTA is a required document that serves as the official determination as to whether a system, subsystem, component, or application has privacy implications and if additional privacy compliance documentations are required, such as a PIA and a SORN.
A PTA determines whether a FERC system collects, stores, maintains, shares, disseminates, retains or disposes of PII. Once it is determined a system collects PII, a PIA may be required.
Privacy Impact Assessment (PIA)
A PIA is a decision-making tool used to identify and mitigate privacy risks at the beginning of and throughout the system development life cycle. A PIA is a publically available document that informs the public about what PII FERC collects, why it’s collected, and how it will be used, stored, maintained, retained, disseminated, shared, disposed of, and secured.
Once the SAOP reviews the PTA questionnaire and determines a PIA is required, an individual from the CIO’s office will work collaboratively with the system owner to prepare a PIA.
To view the PIA for a FERC automated system listed below, click on the system name:
» Automated Acquisition Management Solution (AAMS)
» FERC Enterprise Messaging System 2 (FEMS2)
» FERC Online (FOL)
» General Support System (GSS)
System of Records Notice (SORN)
A system of records is a group of any records under the control of any Federal agency from which information is retrieved by a unique personal identifier, such as the name of the individual or by some identifying number, symbol, or other identifying distinction assigned to the individual. Once records are determined to be retrieved by a unique personal identifier, a SORN (formal notice) is published in the Federal Register to notify the public about the purpose for which PII is collected, from whom it is collected, what type of PII is collected, how the PII is shared externally (through routine use(s)) and who to contact to access and amend records maintained by FERC.
Select the following FERC's exemptions to the Privacy Act
» FERC-58 – Critical Energy Infrastructure Information Records
» FERC 59 – Enforcement Investigations
» FERC 60 – Hotline Records
Privacy Act Statement
The Privacy Act of 1974 (5 U.S.C. 552a) provides protection to individuals by ensuring that personal information collected by Federal agencies is limited to that which is legally authorized and necessary and is maintained in a manner that prohibits unwarranted intrusions on individual privacy.
Pursuant to 5 U.S.C. §552a(e)(3), agencies are required to provide what is commonly referred to as a Privacy Act statement to individuals prior to the collection of Personally Identifiable Information (PII) that will be entered into a system of records (i.e., information that will be stored and retrieved using the individual’s name or other personal identifier, such as a social security number).