Our commitment to privacy
At the CFPB, we have nine privacy principles that guide when and how we collect, use, share, and protect your PII.
Purpose of collection
The CFPB will state the purpose and legal authority for collecting PII.
Openness and transparency
The CFPB will tell you about the PII we collect from you, as well as how we will protect it, use it, and share it. We will provide an easy way for you to learn about what is happening to your PII.
The CFPB will limit the collection of PII to what is needed to accomplish the stated purpose for its collection. The CFPB will keep PII only as long as needed to fulfill its stated purpose.
Limits on uses and sharing of information
The CFPB will provide notice about how we plan to use and share the PII that we collect from you. We will only use or share your PII in a manner compatible with the notice, as stated in the Privacy Act, or as explicitly mandated or authorized by law.
Data quality and integrity
The CFPB will make reasonable efforts to ensure that all PII it maintains is accurate, relevant, timely, and complete.
The CFPB will protect PII from loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
The CFPB will, in most cases, give you the ability to access your PII and allow you to correct or amend it if it is inaccurate.
Awareness and training
The CFPB will train all Bureau employees about how to secure your information properly to ensure that it remains protected.
Accountability and auditing
The CFPB will ensure accountability in the handling of your PII through strict policies and procedures communicated to all Bureau employees. Independent auditors hold the Bureau accountable for complying with these policies and procedures. We also conduct our own internal audits to ensure that we are meeting our responsibilities, and take swift and immediate action if we uncover any violations of law or our policies or procedures.
What is a Chief Privacy Officer?
The CFPB’s Chief Privacy Officer (“CPO”) is the Bureau’s Senior Agency Official for Privacy, and is responsible for ensuring compliance with applicable privacy requirements in statute, regulation, and policy, and managing privacy risks. The CPO evaluates the privacy implications of legislative, regulatory, and other policy proposals and ensures that the technology used by the CFPB upholds privacy protections. The SAOP begins reviews of privacy risks at the earliest planning and development stages of CFPB’s activities and policies that involve PII, and continues throughout the life cycle of the information. The CPO is responsible for ensuring that all employees are familiar with information privacy laws, regulations, policies, and procedures and understand the serious consequences and ramifications of inappropriate access, use, or disclosure of PII. The CPO ensures completion of System of Records Notices (“SORN”), Privacy Impact Assessments (“PIA”), and provisions of appropriate privacy notice. The CPO is also responsible for ensuring that the CFPB takes steps to eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to the use of Social Security numbers as a personal identifier. The CPO and the privacy program are an important part of a comprehensive approach to effective acquisition and management of CFPB information resources.
Training CFPB employees
The CFPB trains all employees to maintain strict confidentiality, protection, and respect for PII they encounter in the course of their duties.
The CPO provides specific training for all operational units that handle PII.
Limiting access to CFPB information
The CFPB only allows access to PII to authorized individuals with a legitimate need for access.
CFPB employees will:
- Only access PII as authorized and as needed to carry out official duties.
- Disclose PII only as authorized by law.
- Ensure that they protect and dispose of PII in accordance with applicable laws, regulations, and CFPB policies and procedures.
- Only use PII for the purposes it was collected, unless other purposes are explicitly mandated or authorized by law.
- Establish and maintain appropriate administrative, technical, and physical safeguards to protect PII.
CFPB system owners and managers will:
- Meet all responsibilities for employees related to PII as outlined above.
- Follow applicable laws, regulations, and CFPB policies and procedures in the development, implementation, and operation of information systems under their control.
- Conduct a risk assessment to identify privacy risks and determine the appropriate security controls to protect against risk.
- Ensure that only PII that is necessary and relevant for legally mandated or authorized purposes is collected.
Third parties, such as banks or other government agencies that have access to information collected by the CFPB, shall comply with requirements of memoranda of understanding (“MOUs”) drafted to address, among other matters, privacy issues.
*The Office of Management and Budget has defined “Personally Identifiable Information” as “information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.” Office of Management and Budget, M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 3, 2017.