Privacy

Our principal objective is to protect the privacy of individuals and provide centralized resources, oversight and enforcement for privacy-related activities to advance BPA’s business mission. We collaborate with offices across BPA to ensure that privacy considerations are addressed at every level of the organization. We use the principles outlined below as our policy framework to enhance privacy protections and ensure compliance with the Privacy Act, the E-Government Act, The Federal Information Security Management Act, the Paperwork Reduction Act, Office of Management and Budget guidance, Department of Energy (DOE) directives and BPA policies.

This webpage includes privacy principles, functions of the privacy office, FAQs and contact information.

Privacy Policy

The following will explain how we handle any information about individuals that we collect during your visit to our website. Please note, our website contains links to other federal agencies and private organizations. Once you navigate to another site, you are subject to the policies of the new site.

Information collected and stored automatically

When you visit our website to read pages or download information, we automatically collect and store the following information only:

The name of the domain from which you entered our website (for example, "xcompany.com" if you use a private Internet access account or "your school.edu" if you connect from a university domain)
IP Address (an IP address is a number that is automatically assigned to your computer whenever you are surfing the web)
The type of browser and operating system used to access our site
The date and time you access our site
The pages you visit
If you navigated to the BPA website from another website, the address of that website

We use this information to measure the number of visitors to the different sections of our site, and to help make our site more useful to visitors. We do not track or record information about individuals and their visits. This information is not shared with anyone beyond the support staff to this home page, except when required by Law Enforcement investigation. This information is not sold for commercial marketing purposes.

Information collected via e-mail

If you choose to provide us with personal information by sending an e-mail or filling out a web comment form, we may use that information to respond to your message or to help us obtain the information you have requested. In an effort to respond to your request, any information you submit may be viewed by people in other government agencies depending upon the nature of your request.

Information collected in signing up for a conference

A few pages on the BPA Website may request credit card information from the user. In those instances, a secure Website will be used for the transmission of that information. The credit card information will be used to complete a monetary transaction involving fees to attend BPA-sponsored conferences or the cost of BPA goods or services. The information will only be used for that transaction and will not be disseminated to others.

Information collected for security purposes

For site security purposes and to ensure that this service remains available to all users, this government computer system employs industry-standard methods to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage

Information collected via other means

Specific proceedings where the public is invited to comment will contain a notice of what the agency intends to do with the data gathered.

Privacy Principles

Transparency: BPA provides notice through Privacy Act statements, privacy notices and website notifications to individuals whose personally identifiable information (PII) is collected, used, maintained and disseminated by BPA.
Purpose Specification: BPA collects PII only when it is needed to meet a specific business purpose.
Data Minimization: BPA collects only PII that is directly relevant and necessary to accomplish the purpose for which it was collected.
Access/Use Limitation: Only BPA employees who need PII to conduct their official duties are granted access to PII. The PII must be used only for the specific purpose for which it was collected.
Accuracy: BPA has enacted appropriate safeguards to ensure the thoroughness, completeness and accuracy of PII collected and maintained by BPA. BPA also provides a mechanism for individuals to access and correct PII maintained by BPA.
Security: BPA protects PII through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.
Accountability and Auditing: BPA is accountable for complying with these principles, for providing privacy education and training to all BPA federal and contract employees and for auditing actual use of PII to demonstrate compliance with applicable privacy protection requirements.

Functions of the Privacy Office

Develop and implement privacy policy compliant with controlling federal laws and regulations, DOE directives and BPA policies.
Serve as BPA's focal point for privacy matters.
Provide policy guidance and assistance to offices throughout BPA in the execution of their privacy responsibilities.
Review all new and existing laws, regulations and policies that may affect our privacy obligations.
Audit all collections of PII and assessing privacy risk.
Collaborate with offices throughout BPA to conduct Initial Privacy Evaluations (IPE) and Privacy Impact Assessments (PIA).
Centralize FOIA and Privacy Act operations to provide policy and programmatic oversight.
Operate a Privacy Incident Response Program, in collaboration with BPA Cyber Security, to ensure that incidents involving PII are properly reported, investigated and mitigated.
Ensure BPA complies with DOE's privacy reporting requirements.
Provide training, education and outreach to build a culture of privacy across BPA and to advance transparency to our customers and the public.

Frequently Asked Questions

The definition of PII is broad. PII includes any information collected or maintained by the Bonneville Power Administration about any individual. This includes:

Information that can be used to distinguish or trace an individual, such as name, Social Security number, and biometric data, and
Information about a person's past or present status or activities, such as education, medical history, criminal history, or employment history.

Sensitive PII is PII that must be protected against loss because improper disclosure could result in substantial harm, embarrassment, inconvenience or unfairness to an individual. Improper disclosure includes loss, theft, and unauthorized release or sharing.

Sensitive PII: Examples

Social Security number or last four digits
Medical history and conditions
Credit card and financial account numbers (personal and government)
Driver's license, state ID and passport number
Education
Height and weight
Workplace performance and disciplinary history
Employment history and information

Non-sensitive PII is information that is often publicly available, and its dissemination is unlikely to lead to harm. Keep in mind that you should exercise care when handling any kind of PII.

Non-sensitive PII: Examples

Name
E-mail address
Home address
Phone number
HRMIS ID
BUD login

Can PII be sensitive in some cases and not in others?

Context matters. Some kinds of PII are always considered sensitive, including Social Security numbers, birth dates, and biometric identifiers like fingerprints. Other categories of PII are sensitive in certain contexts. For example:

A list of employee names attending a meeting would be non-sensitive. A list of employee names facing disciplinary action would be sensitive because it is potentially harmful or embarrassing.
Identifiable photographs are PII, but the sensitivity cannot be predicted because it depends on both content and context.

What other kinds of things are PII?

Many other things may be PII; the charts above are not exhaustive and only contain examples. Remember, PII includes any information that meets the definition above, and sensitivity always depends on context.

The individual whose PII was the subject of the misuse and the organization that maintained the PII may experience some degree of adverse effects. Depending on the type of information involved, an individual may suffer social, economic or physical harm. If the information lost is sufficient to be exploited by an identity thief, for instance, the person may suffer from a loss of money, damage to credit, a compromise of medical records, threats, or harassment. The individual may also suffer from significant losses of time and money to address the damage. Other potential harms include embarrassment, improper denial of government benefits and discrimination.

Organizations may experience harm as a result of a loss of PII maintained by the organization. Harm may include remediation costs, financial losses, loss of public reputation and public trust, and legal liability.

In many cases, protection of PII is similar to protection of other data and includes protecting the confidentiality, integrity and availability of the information. Most security controls used for other types of data are also applicable to the protection of PII. For PII, there are several privacy-specific safeguards, such as anonymization, minimization of PII collection and de-identification.

In addition to protection requirements for PII, there are other requirements for handling PII. The Fair Information Practices – established by the Privacy Act – advance best practice guidelines, such as purpose specification, use limitation, accountability and data quality.

Breaches to the confidentiality of PII have the potential to harm both the organization and the individual. Harm to individuals is of increased concern because of the magnitude of potential harm, such as identity theft, embarrassment and denial of benefits.

BPA’s Privacy Office inventories and audits all collections of PII, utilizing Initial Privacy Evaluations (IPE) and Privacy Impact Assessments (PIA) to assess privacy impact and risk. The Privacy Office works in conjunction with IT and Cyber Security to ensure appropriate technical safeguards are in place to protect PII in electronic systems. Additionally, the Privacy Office promotes privacy education and awareness and works with individuals and offices across the agency to ensure adequate protection of PII.

The Privacy Act of 1974 mandates how federal agencies maintain PII, i.e., records that uniquely define an individual. The basic provisions of the Act require government agencies to:

Collect only PII that is relevant and necessary to carry out an agency function.
Limit access to PII to only those agency employees with a need for the information to conduct their official job duties.
Maintain no secret records on American citizens or lawful permanent residents.
Explain, at the time the information is collected, why it is needed and how it will be used.
Ensure that the records are used only for the reasons given, or seek permission from the subject individual when another purpose for there is considered necessary.
Provide adequate safeguards to protect the records from unauthorized access and disclosure.
Allow individuals access to their records and provide individuals the opportunity to correct inaccuracies in their records.
Allow individuals to find out about disclosures of their records to other agencies and persons.

A System of Records Notice (SORN) is a description of any Privacy Act SOR. SORNs generally describe the who, what, where and why of a system and describe the processes for individuals to access or contest the information being held about them in that system. SORNs also describe how the records in that system are used by BPA, and the circumstances under which BPA can disclose the records to third parties. SORNs are required to be published in the Federal Register.

Power Services

Products & Services

BPA Power Contracts

Hydropower Data & Studies

Transmission Services

Doing Business

Products & Services

Operations & Reliability

Reports & Tools

Energy Efficiency

Policy and Reporting

News & Events

EE Sectors

Innovation and Research

Utility Resources

Rate & tariff proceedings

Background Information

Current Rates & Tariff

Current Rates & Tariff Proceedings

Inactive Rate & Tariff Proceedings

Customer & contractor services

Contractor & Vendor Resources

Billing & Payment

Environment, Fish & Wildlife

Fish & Wildlife

Cultural Resources

Pollution Prevention

Environmental Compliance

Sustainability at BPA

Land Management & Community Safety

Sustainability Efforts

Public involvement & decisions

Comments & Decisions

Public Events

Environmental Compliance

Community education

K-12 Resources & Events

General Education

Hydropower Resources

Projects

Energy

Renewables

Hydropower & Water Storage

Technology

Newsroom

News Articles & Publications

Finance

Information & Reports

Debt Management Processes

Financial Planning

Integrated Program Review

Asset Management

Who We Are

Contact

BPA Information

Our Policies

Careers

Working at BPA

Privacy

Privacy Policy

Privacy Principles

Functions of the Privacy Office

Frequently Asked Questions

What is Personally Identifiable Information (PII)? toggle

Who has the authority to collect and maintain PII at BPA toggle

What are the risks if PII is misused? toggle

What is different about protecting PII compared to protecting other data? toggle

How does BPA ensure PII is adequately protected? toggle

What is the Privacy Act? toggle

What Information is covered under the Privacy Act? toggle

What is a System of Records (SOR)? toggle

What is a System of Records Notice (SORN)? toggle

What is a Privacy Impact Assessment (PIA)? toggle

How do I submit a privacy complaint? toggle

How do I submit a FOIA or Privacy Act amendment request? toggle

Who can I contact if I have additional questions about privacy at BPA? toggle

Where can I find more about federal information privacy requirements? toggle

Related pages