Last updated: February 10, 2022
Interpretation and Definitions
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
- Account means a unique account created for You to access our Service or parts of our Service.
- Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to JFK International Air Terminal LLC, JFK International Airport, Terminal 4, Room161.022, Jamaica, NY 11430.
- Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
- Country refers to: United States
- Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
- Personal Data is any information that relates to an identified or identifiable individual.
- Service refers to the Website.
- Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
- Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
- Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- Website refers to JFK International Air Terminal, accessible from www.jfkt4.nyc
- You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Collecting and Using Your Personal Data
Types of Data Collected
While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Phone number
- Address, State, Province, ZIP/Postal code, City
- Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
Information from Third-Party Social Media Services
The Company allows You to create an account and log in to use the Service through the following Third-party Social Media Services:
If You decide to register through or otherwise grant us access to a Third-Party Social Media Service, We may collect Personal data that is already associated with Your Third-Party Social Media Service's account, such as Your name, Your email address, Your activities or Your contact list associated with that account.
Tracking Technologies and Cookies
- Flash Cookies. Certain features of our Service may use local stored objects (or Flash Cookies) to collect and store information about Your preferences or Your activity on our Service. Flash Cookies are not managed by the same browser settings as those used for Browser Cookies. For more information on how You can delete Flash Cookies, please read "Where can I change the settings for disabling, or deleting local shared objects?" available at https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html#main_Where_can_I_change_the_settings_for_disabling__or_deleting_local_shared_objects_
- Web Beacons. Certain sections of our Service and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).
Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on Your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close Your web browser.
We use both Session and Persistent Cookies for the purposes set out below:
- Necessary / Essential Cookies
Type: Session Cookies
Administered by: Us
Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.
- Cookies Policy / Notice Acceptance Cookies
Type: Persistent Cookies
Administered by: Us
- Functionality Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.
Use of Your Personal Data
The Company may use Personal Data for the following purposes:
- To provide and maintain our Service, including to monitor the usage of our Service.
- To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
- For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
- To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
- To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.
- To manage Your requests: To attend and manage Your requests to Us.
- For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.
- For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.
We may share Your personal information in the following situations:
- With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.
- For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
- With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
- With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If You interact with other users or register through a Third-Party Social Media Service, Your contacts on the Third-Party Social Media Service may see Your name, profile, pictures and description of Your activity. Similarly, other users will be able to view descriptions of Your activity, communicate with You and view Your profile.
- With Your consent: We may disclose Your personal information for any other purpose with Your consent.
Retention of Your Personal Data
The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Transfer of Your Personal Data
Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.
Disclosure of Your Personal Data
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of the Company
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of Users of the Service or the public
- Protect against legal liability
Security of Your Personal Data
The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.
Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.
If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent's consent before We collect and use that information.
Links to Other Websites
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
- By email: [email protected]
- By phone number: (718)244-4444
This policy is intended to provide requirements and a framework for the protection and the privacy of personally identifiable information and the responsibilities in which JFKIAT employees must comply.
This policy applies to the collection, storage, processing, transfer, and use of all personally identifiable information by JFKIAT, its contractors, and third-party vendors while conducting business on JFKIAT’s behalf.
Personally Identifiable Information (PII): Personally identifiable consumer/employee information is defined as a name (first name or first initial and last name, maiden name, mother’s maiden name, or alias) in combination with any of the following data elements listed below:
∙ Social Security Number
∙ Credit/Debit Card Number
∙ Tax ID Number
∙ Personal Identification Document (such as Driver’s License, Passport, Green Card etc.) ∙ Patient Identification Number
∙ Home Mailing Address
∙ Email Address
∙ Telephone Numbers
∙ Date of Birth
∙ Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier
∙ Personal characteristics, including photographic image
∙ Personal Financial Information (Financial Account or Credit Card number) ∙ Consumer Purchase Activity
∙ Medical or Health Conditions
∙ Biometric image or template data (e.g., retina scan, voice signature, facial geometry)
∙ Information identifying personally owned property, such as vehicle registration number or title number and related information
∙ Offenses or Criminal Convictions
∙ Or any other information used to identify or locate an individual.
In the regular course of business, JFKIAT, its contractors, and third-party vendors, from time to time may accumulate consumer and employee information that is deemed private or sensitive in nature. JFKIAT will take appropriate steps to protect PII in its possession or control.
JFKIAT recognizes that PII collected in the regular course of business must be held in a position of trust and it seeks to fulfill this trust by adhering to the general principles laid out in this policy. JFKIAT, including its employees, contractors’ and third-party vendors’ employees while conducting business on JFKIAT’s behalf, must therefore comply with the principles outlined in this policy, even if local law is less restrictive.
This policy addresses the rights of individuals (employees, interns, prospective employees, former employees, dependents, beneficiaries, contractors, consultants, temporary agency workers, customers, consumers, suppliers and vendors); and the obligations of JFKIAT with respect to the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, retention, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or and destruction, of personal data in relation to JFKIAT’s use of information technology.
The concepts of “Data Privacy” rely heavily on “Information Security” to ensure the confidentiality of personal data.
5.Privacy Program Requirements
To ensure alignment between the various functions, Legal Counsel conducts regular communication sessions between all stakeholders. Contents of the communication focuses on privacy requirements in information technology.
To ensure all staff is adequately knowledgeable on Data Privacy requirements, they must complete Data Privacy training as assigned. Specific roles within Department of IT and Digital, Department of Safety and Security, and Department of Human Resources may be required to complete additional training in line with the increased risks and responsibilities of their activities.
c. Risk Assessment
IT and Digital and Safety and Security Departments jointly ensure that periodic risks assessments take place to align data protection and information security activities with risks and priorities as reported through the risk assessment process.
6.Handling of PII
a. Notice, Collection, Use and Retention of PII
∙ provides notice and choice to individuals regarding information collection and use:
o A copy of the Privacy Notice for JFKIAT Web Site can be seen in Appendix A.
o A copy of the Privacy Notice for JFKIAT Guest Wi-Fi can be seen in Appendix B.
o A copy of the Privacy Notice for JFKIAT VPN Access can be seen in Appendix C.
o A copy of the Privacy Notice for JFKIAT CCTV Systems be seen in Appendix D.
∙ reviews purpose of PII collected, used and retained for appropriate business needs annually or as needed.
∙ does not store, use, or process consumer or employee PII without a valid business need and/or incompatible with JFKIAT’s Privacy Notice.
∙ does not sell, rent or lease PII to any third-party vendor.
∙ limits the disclosure of PII to JFKIAT employees who have a legitimate business need.
∙ retains the PII only as long as needed to fulfill the business purpose or as required by law and as outlined in JFKIAT’s Record Retention and Destruction Policy.
b. Information Accuracy and Integrity of PII
∙ Employees shall have reasonable access to verify and challenge the accuracy of their PII.
∙ In accordance with JFKIAT’s Information Security Program, industry standard methods are used to help ensure the integrity of collected data, including various error checking schemes.
∙ Regular backups of critical information are created and stored to help ensure that corrupted data can be restored in accordance with JFKIAT’s Backup Policy.
c. Information Protection of PII
∙ In accordance with JFKIAT’s Information Security Program and Encryption Policy, industry standard encryption shall be used to protect the confidentiality and integrity of PII transmitted over public networks.
∙ Access to PII is physically and logically restricted and limited to only those JFKIAT employees with a valid business need.
d. Enforcement and Oversight
∙ PII collection and storage practices are reviewed annually to help ensure that better commercial practices are in place to obtain and protect PII.
∙ Legal Counsel ensures that reviews are complete and accurate.
∙ Legal Counsel ensures that collection and use policies comply with relevant privacy and data protection laws and regulations.
∙ If a breach of this policy is suspected, Legal Counsel and Department of Safety and Security must be notified.
Information Security Governance Group (ISGG), Legal Counsel, Human Resources (HR), and Commercial Department are responsible for maintaining this policy and setting the annual review date. Legal Counsel is primarily responsible for Privacy within JFKIAT.
In the context of this policy, Legal Counsel is responsible for organizing and running the Privacy Impact Assessment (PIA) process. This includes inter alia process templates, process narrative, PIA reviews, PIA recommendations, logging of decisions and ensuring proper actions follow-up.
A PIA is conducted by using the Privacy Impact Assessment (PIA) Template which is provided in Appendix E. It is used to identify and assess privacy risks. It states what personally identifiable information (PII) is collected and explains how that information is maintained, how it will be protected and how it will be shared. A PIA should identify:
∙ whether the information being collected complies with privacy-related legal and regulatory compliance requirements.
∙ the risks and effects of collecting, maintaining and disseminating PII.
∙ protections and processes for handling information to alleviate any potential privacy risks.
∙ options and methods for individuals to provide consent for the collection of their PII.
In the context of this policy, and are responsible for ensuring that appropriate controls are in place within those systems that process personal data of employees, interns, prospective employees, former employees, dependents, beneficiaries, contractors, consultants, temporary agency workers, vendors, customers, suppliers and consumers through conducting risk assessments and reviews as part of the PIA process.
is a senior official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations and assets, individuals and JFKIAT. The VP of Safety and Security is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data. Controls over personal data protection must be established in line with the sensitivity of the personal data in the system.
is responsible for working with technology providers to understand the needs and requirements for building security and personal data protection into the systems and making these controls a part of the entire life cycle approach. VP of IT and Digital is also responsible for ensuring the completion of the PIA and the closure to any action items that arise during the PIA review with the Legal Counsel.
protect JFKIAT classified information in their possession or to which they have access based on the defined information classification from the Data Classification Policy. Any future information assets derived or created from an originally classified asset will carry the same classification; and will be labeled at the time of creation unless any change or addition require the change of classification. Users shall not use personal data beyond the purpose for which it was originally collected.
shall be required to follow the requirements in this policy whenever conducting activities on behalf of JFKIAT.
8.Compliance with Privacy and Data Protection Laws and Regulations
This policy aims at meeting commonly applicable privacy principles, including those specific to the NY SHIELD Act.
Senate Bill 5575, more commonly referred to as the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act (NY Shield Act), is an amendment to the New York General Business Law and the State Technology Law with additional requirements for handling private information and personal information. NY SHIELD Act defined personal information as any data about a natural person that can be used to identify the individual, it defines “private information” as either personal information in combination with a variety of traditional non-public personally identifiable information or a username / email address in combination with a password or security question/answer.
a. Privacy Data Elements from NY SHIELD Act
∙ Social security number
∙ Driver’s license number or non-driver identification card
∙ Account number
∙ Credit or debit card number in conjunction with:
o Security code
o Access code
o Any other information that permits financial account access
o Account, credit card or debit card number if such number permits financial account access without additional identifying information
∙ Biometric information defined as data generated by electronic measurements of an individual’s unique physical characteristics including but not limited to:
o Facial recognition
o Retina or iris scan
o Voice print
NY SHIELD Act is applicable to JFKIAT as it applies to any person or entity with private information of a New York Resident, not just to those that conduct business in New York State. NY SHIELD Act can be enforced against organizations that operate outside of the state, so long as they have New York Resident information.
NY SHIELD Act defines a data breach as unauthorized access. This is beyond unauthorized acquisition of as “Access” creates a broader definition of data breach since it does not need exfiltration of data, and just unauthorized access.
c. NY SHIELD Act Requirements
The NY SHIELD Act mandates that persons or entities that own or license computerized data containing the private information of a New York resident, implement “reasonable security” measures. In the absence of any other data security or privacy compliance requirements, the NY SHIELD Act defines reasonable security controls as Administrative, Technical and Physical safeguards.
∙ Reasonable Administrative Safeguards are safeguards such as the following, in which JFKIAT:
o designates one or more employees to coordinate the security program,
o identifies reasonably foreseeable risks (external and internal),
o assesses existing safeguards; conducts workforce cybersecurity training; and
o both selects service providers that can maintain appropriate safeguards and requires those safeguards by contract.
∙ Reasonable Technical Safeguards are safeguards such as the following, in which JFKIAT:
o assesses risks in network and software design;
o assesses risks in information processing, transmission, and storage;
o detects, prevents, and responds to attacks or system failures
o regularly tests and monitors the effectiveness of key controls, systems, and procedures.
∙ Reasonable Physical Safeguards are safeguards such as the following, in which JFKIAT:
o assesses risks of information storage disposal;
o detects, prevents, and responds to intrusions;
o protects against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information;
o disposes of private information within a reasonable amount of time after it is no longer needed for business purposes, by erasing electronic media so that the information cannot be read or reconstructed.
APPENDIX A – PRIVACY NOTICE FOR JFKIAT WEBSITE
This privacy notice discloses the privacy practices for (https://www.jfkt4.nyc/). This privacy notice applies solely to information collected by this website, except where stated otherwise. It will notify you of the following:
∙ What information we collect;
∙ With whom it is shared;
∙ How it can be corrected;
∙ How it is secured;
∙ How policy changes will be communicated; and
∙ How to address concerns over misuse of personal data.
Information Collection, Use, and Sharing
We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.
We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request.
Your Access to and Control Over Information
You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number provided on our website:
∙ See what data we have about you, if any.
∙ Change/correct any data we have about you.
∙ Have us delete any data we have about you.
∙ Express any concern you have about our use of your data.
We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.
Wherever we collect sensitive information, that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a closed lock icon at the bottom of your web browser, or looking for "https" at the beginning of the address of the web page.
While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (e.g, customer service) are granted access to personally identifiable information. The computers/servers on which we store personally identifiable information are kept in a secure environment.
Notification of Changes
In order to send your inquiry, a user must first complete the registration form. During registration a user is required to give certain information (such as name and email address). This information is used to respond to your inquiry.
Like most websites, we also use "cookies" to enhance your experience while using our web site. A cookie is a piece of data stored on your hard drive to help us improve your access to our web site and identify repeat visitors to our site. Usage of a cookie is in no way linked to any personally identifiable information on our site.
This web site contains links to other sites. Please be aware that we are not responsible for the content or privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of any other site that collects personally identifiable information.
APPENDIX B – PRIVACY NOTICE FOR JFKIAT GUEST WI-FI
This network is the property of JFKIAT and may be accessed only by authorized guests and employees of JFKIAT.
Unauthorized use of this network is strictly prohibited and subject to criminal prosecution.
The data you send and receive over this network is not encrypted and may be viewed or intercepted by others. Use this network at your own risk. Privacy and security safeguards are the user's responsibility; this network does not provide any. JFKIAT does not warrant or represent that this service will be uninterrupted, error-free, or secure. Users should be aware that there are security, privacy, and confidentiality risks inherent in wireless communications and technology.
JFKIAT may, if and to the extent permitted under applicable law, monitor any activity or retrieve any information transmitted through this network, to ensure compliance with JFKIAT policy and with federal, state and local law. By accessing and using this network, you are consenting to such monitoring and information retrieval by JFKIAT if and to the extent permitted under applicable law. Users should have no general expectation of privacy or confidentiality when using this network.
APPENDIX C – PRIVACY NOTICE FOR JFKIAT VPN ACCESS
**** WARNING ****
This resource, including all related equipment, networks and network devices, are provided for authorized use of JFK International Airport Terminal, LLC computer systems.
All systems accessed may be monitored for all lawful purposes, including to ensure authorized use, for management of the system, to facilitate protection against unauthorized access and to verify security procedures and operational procedures.
The monitoring on this system may include audits by authorized personnel to test or verify the validity, security and survivability of this system.
During monitoring information may be examined, recorded, copied and used for authorized purposes.
All information placed on or sent to this system may be subject to such monitoring procedures.
Use of this system, authorized or unauthorized, constitutes consent to this policy and the policies and procedures.
Evidence of unauthorized use collected during monitoring may be used for criminal prosecution, legal counsel and law enforcement agencies.
APPENDIX D – PRIVACY NOTICE FOR CCTV SYSTEMS
How JFKIAT Obtains CCTV Footage
JFKIAT has several cameras around Terminal 4 which monitor Arrivals Hall, Departures Hall, roadways, inside and outside of terminal operational areas, loading docks and VIP parking lots.
CCTV monitoring is conducted 24 hours a day and this data is continuously recorded. The recorded footage is kept for 30 days.
Camera locations are chosen to minimize the capture of images that are not relevant to the legitimate purposes of the monitoring.
Images are monitored only by JFKIAT or contracted companies’ authorized employees during working hours for legitimate reasons such as to protect health and safety.
Live feeds from cameras and recorded images are only viewed by approved JFKIAT or contracted companies’ employees whose role requires them to have access to such data.
No surveillance cameras are placed in areas where there is an expectation of privacy such as bathrooms.
How JFKIAT Uses the Data That is Collected Through CCTV Systems
Images of individuals and vehicles that are collected through the JFKIAT CCTV systems in or around Terminal 4 are used:
∙ to prevent crime and protect buildings and assets of JFKIAT, of other occupants of Terminal 4 and of their respective staff and visitors from damage, disruption, vandalism and other crime.
∙ for the personal health, safety and security of employees, visitors and other members of the public and to act as a deterrent against crime.
∙ to support law enforcement agencies in the prevention, detection and prosecution of crime.
∙ to assist in the day-to-day operations.
∙ to assist in the defense of any civil litigation issues.
Where images from our CCTV system are relevant to other occupants of Terminal 4 or any individual, JFKIAT may share them with those other occupants/individuals if it considers that this is reasonably necessary for any of the purposes set out above.
JFKIAT may allow law enforcement agencies to view CCTV footage where this is required in the prevention, detection or prosecution of crime.
JFKIAT may run video analytics and facial recognition algorithms on live feeds and recorded images to accelerate investigations and to attain situational awareness.
JFKIAT keeps a record of all disclosures of CCTV footage. JFKAIT is not responsible for how other occupants, individuals or law enforcement agencies use those images after their release.
APPENDIX E – PRIVACY IMPACY ASSESSMENT (PIA) TEMPLATE
1. Project Manager / System Owner’s Contact Information:
∙ Contact Information
2. General Project/System Information:
∙ Name of Project or System
∙ Description of Project or System
∙ Purpose of the Project or System
∙ Operational Date
∙ Specific legal authorities, arrangements, and/or agreements which require the collection of this information?
3. Data in the System:
∙ What data is to be collected?
∙ What are the sources of the data?
∙ Why is the data being collected?
∙ What technologies will be used to collect the data?
∙ Does a personal identifier retrieve the data?
4. Attributes of the Data (Use and Accuracy):
∙ Description of the uses of data.
∙ Does the system analyze data to assist users in identifying previously unknown areas of note, concern or pattern?
∙ How will the data collected from individuals or derived by the system be checked for accuracy?
5. Sharing Practices:
∙ Will the data be shared with any internal or external organizations?
∙ How is the data transmitted or disclosed to the internal or external organization? ∙ How is the shared data secured by external recipients?
6. Notice to Individuals to Decline/Consent Use:
∙ Was notice provided to the different individuals prior to collection of data? ∙ Do individuals have the opportunity and/or right to decline to provide data? ∙ Do individuals have the right to consent to particular uses of the data?
7. Access to Data:
∙ Has the retention schedule been established? If so, what is the retention period for the data in the system?
∙ What are the procedures for identification and disposition of the data at the end of the retention period?
∙ Description of the privacy training provided to users, either generally or specifically relevant to the program or system?
∙ Will contractors have access to the system?
8. Privacy Analysis:
Given the amount and type of data being collected, discuss what privacy risks were identified and how they were mitigated.