• OIG Privacy Program Audit Report
• NASA Web Privacy Policy
• NPD 1382.17K – NASA Privacy Policy
• NPR 1382.1B – NASA Privacy Procedural Requirements

External Audit Reports:

US GAO-105065 – Dedicated Leadership Can Improve Programs and Address Challenges:

There were 2 recommendations in this report specifically for NASA:

1. The Administrator of NASA should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 48)
2. The Administrator of NASA should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 49)

For additional context, please refer to appendix XVI of the Privacy Report to Congressional Requesters for comments from National Aeronautics and Space Administration’s Chief Information Officer regarding this audit.

US GAO-106443 – Challenges in Protecting Privacy and Sensitive Data [NEA(JAH1]

Privacy Act

The Privacy Act of 1974 requires federal agencies to publish a System of Records Notice (SORN) in the Federal Register describing a new or modified system of record (SOR).

As defined by the Privacy Act, a SOR is a collection of records on individuals maintained by NASA from which information is routinely retrieved by the name of the individual or other personal identifier. A SOR is not necessarily an IT system; it can be a collection of paper records too.

Per federal requirement and NASA policy, SORNs are published in the Federal Register for any electronic or non-electronic SORs that contains information on individuals that is routinely retrieved by personal identifiers.