Preliminary Privacy Impact Assessment

The Office of Management and Budget mandates that we publish our lists of Privacy Impact Assessments (PIA's) on our web site. Learn more about PIA's.

TITLE: Single Family Mortgage Notes System (A80N)

September, 2003

UPI # 025-00-01-01-01-1060-00-206-085

PCAS # 00251190

Is this a new or substantially revised electronic information system? If revised, describe revisions.

No. This is a not a new or substantially revised information system. This system was implemented in 1984. A43 SFIS is the Departmental system of records for all single family loans. A43 SFIS contains 16 millions records for all active and terminated FHA insured cases.

If any question does not apply, state not applicable (N/A) for each question and explain why.

I. Describe the information to be collected (e.g., nature and source). Be sure to include any information in an identifiable form, e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc).

The A43 Single Family Insurance system (SFIS) is an ongoing, fully operational mixed system that supports HUD's Single Family Insurance Operations Division. A43 SFIS maintains an accurate and detailed database of more than 16 million case records of HUD/FHA insured single family mortgages - one record for every active and terminated case since 1984.

A43 receives information from the F17/CHUMS system when cases are endorsed. A43 maintains name, property address, and social security number (after 1996) for the borrower and in some cases co-borrower.

II. Why is the information being collected (e.g., to determine eligibility)?

The SFIS/A43 data information begins after the endorsement of a case (FHA loan) and continues through the termination of the case maintaining post termination case history. A43 maintains private mortgagor data including Social Security Number and Mortgagor's name and address. The Privacy Act covers these data.

III. How will the information be used (e.g., to verify existing data)?

A43 SFIS determines HUD's liability for insured Single Family loans. The A43 SFIS database is used extensively throughout HUD and its field offices to provide financial background information required for decision-making throughout the department. Information is passed from A43 SFIS and sent to seven other systems at HUD.

IV. Will you share the information with others (e.g., another agency for a programmatic purpose)? If yes, list the entities.

The SFIS/A43 is a critical component in the life cycle of a HUD/FHA insured loan. The SFIS/A43 is a key component that receives case data from the F17/CHUMS system and mortgage insurance premium (MIP) data from SFPCS-U/A80R. Case data is passed on to SFPCS-P/A80B in order to ensure the correct monthly billing to lenders. Data on cases is passed to DSRS/A80D to refund unearned premiums to homeowners upon termination of the FHA insurance. Data on terminated cases is passed to the A43C/SFCS and/or SAMS/A80S when the FHA insurance is terminated as a default. A43C/SFCS processes claim payments to lenders and SAMS/A80S utilizes the case information in accepting the asset into the HUD inventory of foreclosed properties.

Data is shared with the Office of Single Family Housing (for policy purposes), the Office of Budget and Field Resources (for subsidy modeling), the Homeownership Centers (for customer service/endorsement issues), the Office of Financial Analysis and Reporting (for accounting and financial statement purposes and external reporting) as well as senior management within the Office of the Housing-Federal Housing Commissioner and other Department components for monitoring and decision-making purposes.

A43 SFIS contains information that requires protection from unauthorized disclosure. The data captured are available to the public with the exception of selected information, i.e., FHA case numbers, financial transactions (such as Non-sufficient Funds). This data is subject to Privacy Act Laws and must be maintained in a confidential manner.

V. Describe what opportunities individuals have been given to decline to provide information or to consent to particular use of the information (e.g., whether individual may withhold permission for a particular use).

The requested data (name, property address, and social security number) are needed to process the loan and to determine eligibility under the various sections of the National Housing Act. These data are protected under the Privacy Act and this is noted on the HUD-1 loan application.

VI. How will the information be secured (e.g., administrative and technological controls)?

A43/SFIS has completed a NIST self-assessment.

All HUD systems currently meet the requirements specified in OMB policy. A new office of security is being developed within the Office of the Chief Information Officer (OCIO) that will be implemented in FY 2003. This will benefit HUD in supplying the needed staff and organizational resources for an enterprise wide security program. OCIO anticipates that all mission critical systems will be under revised security plans based on current security reviews by May of 2003. The OCIO monitors all systems with respect to security and per the requirements of GISRA, security is evaluated for all the application systems that serve the program mission. Based upon the analysis of the NIST 800-26 document, HUD examined the strengths and weaknesses specified by the 36 Critical Element questions. System representatives were asked to complete a questionnaire for their specific system. Therefore, all HUD systems are complaint with the requirements of GISRA, OMB policy, and NIST guidance.

The Office of the Chief Information Officer (OCIO) actually owns, operates, and maintains all of HUD's IT systems. There is one consolidated IT program under the OCIO. The Office of Information Technology (OIT) operates all aspects of the infrastructure, including the network and mainframe hosts where systems operate. The OCIO manages and oversees the computer security program. The HUD CIO has developed an Information Security Plan, which provides details on the agency-wide security program. It will undergo a review and update this year. Based on the NIST 800-26 document, HUD systems were evaluated using the NIST self-assessment guide.

VII. How will the data be retrieved (e.g., will it be retrieved by a personal identifier such as name, social security number, address, telephone number or some other identifier that is unique to an individual)?

All information is contained in the basic FHA Case Record retrieved by the FHA Case Number.