Tony from OSD asks:
Dr. RMF, I currently assess a boundary that includes all of our desktops, laptops, network printers, and some local printers. There are a number of devices (i.e. desktop/laptops) that don’t store Personally Identifiable Information (PII) per se, but will disseminate PII to our records management boundary on a daily basis. So, my interpretation is considering we process PII within this particular boundary we (desktop environment) would require a Privacy Impact Assessment (PIA). Does this sound accurate? Any assistance you may provide would be greatly appreciated.
Dr. RMF responds:
Tony, from your description of this “workflow”, Dr. RMF can see that your desk-top and laptop users are gathering PII and then sending it across your system boundary into your records management systems. If that is an accurate take on what is happening on a daily basis, then absolutely your “desktop environment” would require a PIA.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF is a Ph.D. researcher with a primary research focus of RMF.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.