PRIVACY PROCEDURES -
DEPARTMENT/FIELD OFFICES/POSTS
(CT:RMH-32; 04-10-2025)
(Office of Origin: A/SKS/PPKM/PRV)
5 FAH-4 H-421 PURPOSE
(CT:RMH-32; 04-10-2025)
This subchapter provides guidelines and procedures for implementing the regulations published in 5 FAM 460, Privacy Policy.
5 FAH-4 H-422 SCOPE
(CT:RMH-32; 04-10-2025)
This handbook contains specific guidelines for privacy compliance documentation for general maintenance of PII that is applicable to any Department user handling information about individuals. For information on the policies and authorities that govern privacy compliance at the Department, please visit 5 FAM 460.
5 FAH-4 H-423 Breach Response
(CT:RMH-32; 04-10-2025)
5 FAH-4 H-423.1 Reporting a Breach
(CT:RMH-32; 04-10-2025)
Report a breach using the Breach Incident Form, available on the Privacy Office’s intranet site. For cyber incidents, the completed form will automatically send a report to the Bureau of Diplomatic Security, Cyber and Technology Security Directorate, Cyber Incident Response Team Plan and any published bureau or post procedures.
5 FAH-4 H-424 Privacy Risk Management
(CT:RMH-32; 04-10-2025)
5 FAH-4 H-424.1 Privacy Impact Assessment (PIA)
(CT:RMH-32; 04-10-2025)
System owners can request a copy of their system’s most recently finalized PIA by emailing the Privacy Office directly.
5 FAH-4 H-424.1-1 PIA Process for Systems Under Authority to Operate (ATO)
(CT:RMH-32; 04-10-2025)
a. The Privacy Office’s Privacy Impact Assessment (PIA) process for systems undergoing the Authorization to Operate (ATO) process is conducted via the Governance, Risk and Compliance tool, Archangel.
b. The PIA process begins with the system owner completing the FIPS 199 card and Privacy Questionnaire to specify the Personally Identifiable Information (PII) processed in their system and notifying the Privacy Analyst when these documents are completed.
c. The Privacy Analyst makes a privacy determination based on the FIPS 199 card and Privacy Questionnaire.
d. Once the privacy determination has been made, the system owner drafts the PIA utilizing the PIA Guide.
e. The PIA is complete when the SAOP or their delegate signs the approval memo, the system owner has completed the signature page in Archangel, and the Privacy Office has uploaded the approval memo to Archangel.
5 FAH-4 H-424.1-2 PIA Process for Classified Systems and/or Systems Without ATOs
(CT:RMH-32; 04-10-2025)
a. For systems that are classified and/or do not undergo the ATO process, the system owner must reach out to the Privacy Office to request a privacy determination of their system’s PII information.
b. Once the privacy determination has been made, the system owner drafts the PIA using the PIA Guide.
c. The system owner must submit their completed PIA draft to the Privacy Office via the Privacy Customer Center on the Privacy Office’s intranet site.
d. The PIA is complete when the SAOP or their delegate signs the approval memo and the system owner has completed the signature page via the DS-4254 PIA Certifications form in myData.
5 FAH-4 H-424.2 Security Categorization and System Authorization
(CT:RMH-32; 04-10-2025)
a. FIPS Publication 199 documents categorization of all information and information systems and provides appropriate levels of information security according to risk levels. System owners must document business type, lines of business, and privacy identifiers, if applicable, within the FIPS 199 card in Archangel.
b. The FIPS 199 card can be found in Phase II of Archangel, the Department's Governance, Risk Management, and Compliance tool. When selecting the business type and lines of business, system owners should ensure selections align with NIST SP 800-60 information types. The privacy identifiers are available for selection in a dropdown menu to the right of the “line of business.”
c. If the line of business does not use privacy identifiers, system owners should select “No PII is collected, stored, or transmitted” within the text field.
5 FAH-4 H-424.3 System of Records Notice (SORN)
(CT:RMH-32; 04-10-2025)
a. System owners must use the Department’s SORN Guide and Template to write a SORN for any new or modified system or a rescindment notice for a rescinded system, in coordination with the Privacy Office, Office of the Legal Adviser (L), the Enterprise Records Management Office (A/SKS/PPKM/ERM), and other stakeholders as necessary.
b. System owners must work with their designated Privacy Analyst to draft the new, modified, or rescindment SORN in accordance with the templates outlined in OMB Circular A-108. This is an iterative process, as system owners and their Privacy Analyst work through content, formatting, and revisions. Once the draft is completed, it will be included in a SORN package prepared by the Privacy Analyst who will oversee the clearance process. A typical SORN package will include the following elements:
(1) New, modified, or rescindment SORN draft;
(2) Narrative Statement;
(3) Clearance Page;
(4) OMB-OIRA letter; and
(5) Copy of previous SORN publication (for modified and rescindment SORNs).
c. Privacy Analysts will ensure SORN packages include all the appropriate elements and will oversee the clearance process on behalf of the system owner. The SORN package must be reviewed and cleared by the following points of contact (POCs):
(1) Privacy Program Manager (PM)
(2) Privacy Office Director
(3) Office of the Legal Adviser (L)
(4) Chief Privacy Officer (CPO)
(5) Senior Agency Official for Privacy (SAOP)
Suggested edits, revisions, and/or questions raised by any POC to any element of the SORN package will be relayed by the Privacy Analyst to the system owner. All edits, revisions, and/or questions must be addressed by the system owner before the package can move to the next POC.
d. L reviews and provides guidance on SORNs throughout the process, giving clearances as necessary. The SAOP provides clearance for submission to the Office of Management and Budget (OMB) for review.
e. The Privacy Office submits the OMB-reviewed SORN for publication in the Federal Register and provides notification to the Bureau of Legislative Affairs (H) for relevant congressional committees.
f. The Privacy Office conducts biennial reviews of each SORN with system owners following publication in the Federal Register to ensure Department SORNs continue to accurately describe the systems of records.
5 FAH-4 H-424.4 Privacy Act Statement (PAS)
(CT:RMH-32; 04-10-2025)
System owners must use the Department’s PAS Guide and Template to write a PAS for any form that collects PII from a U.S. person (U.S. citizens/Legal Permanent Residents), in coordination with the Privacy Office, Office of the Legal Adviser (L), the Office of Organizational Policy (A/SKS/PPKM/OP), and other stakeholders as necessary.
5 FAH-4 H-424.5 Contacting Privacy
(CT:RMH-32; 04-10-2025)
a. For any questions or clarifications on privacy policy, this FAH entry, or questions about PII, PIAs, SORNs, PASs, trainings, and clearances, contact the Privacy Office at PrivacyHelp@state.gov or Send a request via the Privacy Office Help Desk Form, available on the Privacy Office’s intranet site.
b. For questions related to a specific bureau or bureau function, visit the Contact Us page on the Privacy Office’s intranet site, where you will find listed the Privacy Analyst responsible for each bureau at the Department.
c. If reporting a breach of paper or electronic records, please refer to 5 FAH-13 H-116.1 Reporting a Breach, which describes the procedures for immediately reporting a breach using the Breach Incident Form, available on the Privacy Office’s intranet site.
5 FAH-4 H-424.6 Privacy Training and Awareness
(CT:RMH-32; 04-10-2025)
To check the status of your PA318 or PS800 trainings, please visit your FSI portal, or reach out to the FSI helpdesk at FSIEDSHelp@state.gov.