Sign In
Privacy
 
Welcome to the Bonneville Power Administration (BPA) Privacy Office.
Our principal objective is to protect the privacy of individuals and provide centralized resources, oversight and enforcement for privacy-related activities to advance BPA’s business mission.
 
We collaborate with offices across BPA to ensure that privacy considerations are addressed at every level of the organization. We use the principles outlined below as our policy framework to enhance privacy protections and ensure compliance with the Privacy Act, the E-Government Act, The Federal Information Security Management Act (FISMA), the Paperwork Reduction Act (PRA), Office of Management and Budget (OMB) guidance, Department of Energy (DOE) directives and BPA policies.
Privacy Principles
  • Transparency: BPA provides notice – through Privacy Act statements, privacy notices and website notifications – to individuals whose personally identifiable information (PII) is collected, used, maintained and disseminated by BPA.
  • Purpose Specification: BPA collects PII only when it is needed to meet a specific business purpose.
  • Data Minimization: BPA collects only PII that is directly relevant and necessary to accomplish the purpose for which it was collected.
  • Access/Use Limitation: Only BPA employees who need PII to conduct their official duties are granted access to PII. The PII must be used only for the specific purpose for which it was collected.
  • Accuracy: BPA has enacted appropriate safeguards to ensure the thoroughness, completeness and accuracy of PII collected and maintained by BPA. BPA also provides a mechanism for individuals to access and correct PII maintained by BPA.
  • Security: BPA protects PII through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.
  • Accountability and Auditing: BPA is accountable for complying with these principles, for providing privacy education and training to all BPA federal and contract employees and for auditing actual use of PII to demonstrate compliance with applicable privacy protection requirements.
 
 
Functions of the Privacy Office
  • Develop and implement privacy policy compliant with controlling federal laws and regulations, DOE directives and BPA policies.
  • Serve as BPA’s focal point for privacy matters.
  • Provide policy guidance and assistance to offices throughout BPA in the execution of their privacy responsibilities.
  • Review all new and existing laws, regulations and policies that may affect our privacy obligations.
  • Audit all collections of PII and assessing privacy risk.
  • Collaborate with offices throughout BPA to conduct Initial Privacy Evaluations (IPE) and Privacy Impact Assessments (PIA).
  • Centralize FOIA and Privacy Act operations to provide policy and programmatic oversight.
  • Operate a Privacy Incident Response Program, in collaboration with BPA Cyber Security, to ensure that incidents involving PII are properly reported, investigated and mitigated.
  • Ensure BPA complies with DOE’s privacy reporting requirements.
  • Provide training, education and outreach to build a culture of privacy across BPA and to advance transparency to our customers and the public.

Frequently Asked Questions

What is Personally Identifiable Information (PII)?

Who has the authority to collect and maintain PII at BPA?

What are the risks if PII is misused?

How does BPA notify individuals impacted by a compromise of PII?

How does BPA ensure PII is adequately protected?

What is the Privacy Act?

What Information is covered under the Privacy Act?

What is a System of Records (SOR)?

What is a System of Records Notice (SORN)?

What is a Privacy Impact Assessment (PIA)?

How do I submit a privacy complaint?

How do I submit a FOIA or Privacy Act amendment request?

Who can I contact if I have additional questions about privacy at BPA?

Where can I find more about federal information privacy requirements?

 

What is Personally Identifiable Information (PII)?

The Department of Energy defines Personally Identifiable Information as any information collected or maintained by the Department about any individual that can be used to distinguish or trace an individual’s identity. This includes names, Social Security numbers, date and place of birth, mother’s maiden name, biometric data and any other personal information that is linked or linkable to a specific individual.

PII with a moderate or high level of sensitivity is information which if lost, compromised or disclosed without authorization could result in harm, embarrassment, inconvenience or unfairness to an individual.

Some categories of PII are always considered moderately or highly sensitive, including Social Security numbers, birth dates, bank account and credit card numbers and biometric identifiers like fingerprints. For instance, a list of names and bank account numbers is always categorized as high sensitivity. Other categories of PII are more sensitive in certain contexts. For example, a list containing just employee names would ordinarily be considered low sensitivity. However, if the list contains the names of employees facing disciplinary action, it would be considered potentially harmful or embarrassing, and therefore, it is more sensitive. PII sensitivity must be assessed in context.

DOE provides the following guidance:  

PII Sensitivity Level

Information or Data

High

  • Social Security Numbers
  • Biometric record:
    • Fingerprint
    • Iris Scan
    • DNA
  • Personal Health Information
  • Financial Information
    • Credit Card Numbers
    • Bank Account Numbers

Moderate

  • Criminal History or Disciplinary Actions
  • Place or Date of Birth
  • Mother’s Maiden Name
  • Security Clearance History
  • Metric Information, e.g., weight or height
  • Performance Appraisals
  • Employment History and other Employment Information (including resumes)

Low

  • Name
  • Address
  • Phone Number

 

Return to top.

Who has the authority to collect and maintain PII at BPA?

Only BPA employees with a need for PII to conduct their job duties may collect or maintain PII about members of the public or other BPA federal or contract employees.

The Privacy Act imposes civil and criminal penalties on any employee of an agency who willfully discloses PII held in a Federal System of Records (SOR) to any person or agency not entitled to receive it.

Return to top.

What are the risks if PII is misused?

The individual whose PII was the subject of the misuse and the organization that maintained the PII may experience some degree of adverse effects. Depending on the type of information involved, an individual may suffer social, economic or physical harm. If the information lost is sufficient to be exploited by an identity thief, for instance, the person may suffer from a loss of money, damage to credit, a compromise of medical records, threats, or harassment. The individual may also suffer from significant losses of time and money to address the damage. Other potential harms include embarrassment, improper denial of government benefits and discrimination.

Organizations may experience harm as a result of a loss of PII maintained by the organization. Harm may include remediation costs, financial losses, loss of public reputation and public trust, and legal liability.

Return to top.

What is different about protecting PII compared to protecting other data?

In many cases, protection of PII is similar to protection of other data and includes protecting the confidentiality, integrity and availability of the information. Most security controls used for other types of data are also applicable to the protection of PII. For PII, there are several privacy-specific safeguards, such as anonymization, minimization of PII collection and de-identification.

In addition to protection requirements for PII, there are other requirements for handling PII. The Fair Information Practices – established by the Privacy Act – advance best practice guidelines, such as purpose specification, use limitation, accountability and data quality.

Breaches to the confidentiality of PII have the potential to harm both the organization and the individual. Harm to individuals is of increased concern because of the magnitude of potential harm, such as identity theft, embarrassment and denial of benefits.  

Return to top.

How does BPA ensure PII is adequately protected?

BPA’s Privacy Office inventories and audits all collections of PII, utilizing Initial Privacy Evaluations (IPE) and Privacy Impact Assessments (PIA) to assess privacy impact and risk. The Privacy Office works in conjunction with IT and Cyber Security to ensure appropriate technical safeguards are in place to protect PII in electronic systems. Additionally, the Privacy Office promotes privacy education and awareness and works with individuals and offices across the agency to ensure adequate protection of PII. 

Return to top.

What is the Privacy Act?

The Privacy Act of 1974 mandates how federal agencies maintain PII, i.e., records that uniquely define an individual. The basic provisions of the Act require government agencies to:

  • Collect only PII that is relevant and necessary to carry out an agency function.
  • Limit access to PII to only those agency employees with a need for the information to conduct their official job duties.
  • Maintain no secret records on American citizens or lawful permanent residents.
  • Explain, at the time the information is collected, why it is needed and how it will be used.
  • Ensure that the records are used only for the reasons given, or seek permission from the subject individual when another purpose for there is considered necessary.
  • Provide adequate safeguards to protect the records from unauthorized access and disclosure.
  • Allow individuals access to their records and provide individuals the opportunity to correct inaccuracies in their records.
  • Allow individuals to find out about disclosures of their records to other agencies and persons.

Return to top.

What Information is covered under the Privacy Act?

Privacy Act records are records about individuals that are regularly retrieved by personal identifiers, such as a name or a unique identification number. Most of BPA’s Privacy Act records concern employees, and include, for instance, personnel records, official government travel records, and training records. Privacy Act records are grouped into Privacy Act Systems of Records.

Return to top.

What is a System of Records (SOR)?

A System of Records is a group or category of Privacy Act records under the control of a Federal government agency. A list of SORs utilized by BPA can be viewed here.

Return to top.

What is a System of Records Notice (SORN)?

A System of Records Notice (SORN) is a description of any Privacy Act SOR. SORNs generally describe the who, what, where and why of a system and describe the processes for individuals to access or contest the information being held about them in that system. SORNs also describe how the records in that system are used by BPA, and the circumstances under which BPA can disclose the records to third parties. SORNs are required to be published in the Federal Register.

Return to top.

What is a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment is an analysis of how PII is collected, maintained, used and disseminated by a BPA program or system as well as the risks associated with the collection of information. PIAs are required to be made available to the public. Current BPA PIAs will be viewable on this page soon.

Return to top.

How do I submit a privacy complaint?

If you wish to submit a privacy complaint concerning a BPA program, policy or action, please contact the BPA Privacy Office.
Email: privacy@bpa.gov
Phone: 503.230.5483 

Return to top.

How do I submit a FOIA or Privacy Act amendment request?

To submit a FOIA or Privacy Act amendment request, following the instructions outlined here.

Return to top.

Who can I contact if I have additional questions about privacy at BPA?

If you have additional questions regarding BPA’s privacy program, you may contact the Privacy Office.
Email: privacy@bpa.gov
Phone: 503.230.5483  

Return to top.

Where can I find more about federal information privacy requirements?

Office of Management Budget – Privacy Related Memoranda
Department of Energy Privacy Program
Department of Justice Office of Privacy and Civil Liberties

Return to top.  

Contact Information

Department of Energy Senior Agency Official for Privacy
Ingrid Kolb
Ingrid.kolb@hq.doe.gov

Department of Energy Chief Privacy Officer
Jerry Hanley
Jerry.hanley@hq.doe.gov

BPA Privacy Act Officer
Christina J. Munro
cjmunro@bpa.gov
503.230.7303​

If you have additional questions regarding BPA’s privacy program or wish to submit a privacy complaint concerning a BPA program, policy or action, please contact the BPA Privacy Office.
Email: privacy@bpa.gov
Phone: 503.230.5483 
 
Stay Connected Related Sites