Privacy

FERC's website privacy policy informs you how we handle the personally identifiable information (PII) that you provide when you visit us online to browse, obtain information, or interact through an electronic application or form.

The Office of Management and Budget (OMB) defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” (OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, Jan. 3, 2017). PII includes information that is personal in nature and which may be used to identify you.

Before collecting PII, we tell you what we are collecting, why we are collecting it, and how we are going to use it. We only collect the minimum amount of PII necessary to achieve the task. You may also provide PII to us when you contact us through an e-mail inquiry or a request for information. We do not require you to provide PII to visit our website and FERC is not responsible for any accidental or inadvertent submissions of PII where not needed. We work to ensure that the PII we have about you is accurate, relevant, timely, and complete. We are committed to handle your PII appropriately and we train all of our employees to make sure they know how to ensure that your PII remains protected.

Our commitment to Privacy

At FERC, we have eight privacy principles that guide the collection, use, sharing, and protection of your PII.

1. 1. 1. Openness and Transparency

FERC will tell you about the PII we collect from you, as well as how we will protect it, use it, and share it. We will provide an easy way for you to learn about what is happening to your PII.

1. 1. 2. Individual Participation

FERC will, where feasible, give you the ability to access your PII and allow you to correct or amend it if it is inaccurate.

1. 1. 3. Authority and Purpose Specification

FERC will state the purpose and legal authority for collecting PII and will provide notice to individuals where appropriate at the point of collection of PII.

1. 1. 4. Data Minimization

FERC will limit the collection of PII to what is needed to accomplish the stated purpose for its collection. FERC will keep PII only as long as needed to fulfill its stated purpose.

1. 1. 5. Use Limitation

FERC will provide notice about how we plan to use and share the PII that we collect from you. We will only use or share your PII in a manner compatible with the notice, as stated in the Privacy Act, or as explicitly mandated or authorized by law.

1. 1. 6. Data Quality and Integrity

FERC will maintain accurate, relevant, timely, and complete PII.

1. 1. 7. Security Safeguards

FERC will protect PII from loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.

1. 1. 8. Accountability and Auditing

FERC will ensure accountability in the handling of your PII through strict policies and procedures communicated to all FERC employees. Independent auditors hold FERC accountable for complying with these policies and procedures. We also conduct our own internal review to ensure that we are meeting our responsibilities and take swift and immediate action if we uncover any violations of law or of our policies or procedures. 

Limiting access to FERC information

FERC allows access to PII only to authorized individuals with a legitimate need for access.

FERC staff will:

• Only access PII as authorized and as needed to carry out official duties.
• Disclose PII only as authorized by law.
• Ensure that they protect and dispose of PII in accordance with applicable laws, regulations, and FERC policies and procedures.
• Only use PII for the purposes it was collected unless other purposes are explicitly mandated or authorized by law.
• Establish and maintain appropriate administrative, technical, and physical safeguards to protect PII. 

FERC system owners and managers will:

• Meet all responsibilities for employees related to PII as outlined above.
• Follow applicable laws, regulations, and FERC policies and procedures in the development, implementation, and operation of information systems under their control.
• Conduct a risk assessment to identify privacy risks and determine the appropriate security controls to protect against risk.
• Ensure that only PII that is necessary and relevant for legally mandated or authorized purposes is collected.

Third Parties

Third parties that have access to information collected by FERC shall comply with requirements of memoranda of understanding (MOUs) entered into to address, among other matters, privacy issues.

Updated on July 29, 2024.

The Privacy Act of 1974, as amended (5 U.S.C. § 552a), provides protections to individuals through: (1) the right to request their records, subject to the Privacy Act exemptions; (2) the right to request a change to their records that are not accurate, relevant, timely, or complete; and (3) the right to be protected against unwarranted invasion of their privacy resulting from the collection, maintenance, use, and disclosure of their personal information.

Agencies are required to give the public notice of their systems of records by publication in the Federal Register. A system of records is any grouping of information about an individual under the control of a Federal agency from which information is retrievable by personal identifiers, such as name, social security number, or other identifying information. All FERC’s System of Records Notice (SORNs) are published in the Federal Register. These notices provide the legal authority for collecting and storing PII, individuals about whom records will be collected, what kind of information will be collected, and how the records will be used.

You may access each SORN that FERC publishes in the Federal Register by accessing the Privacy Compliance tab.

If we store information about you in a system of records from which we retrieve that information by personal identifier (e.g., name, social security number, personal email address, home mailing address, personal or mobile phone number, etc.), we will safeguard your information in accordance with the Privacy Act. FERC adheres to Privacy Act requirements with respect to all information about individuals that it collects, maintains, uses, or disseminates in a system of records, regardless of whether the information pertains to a U.S. Citizen, lawful permanent resident, or a non-U.S. Citizen. However, the rights to seek access to and amendment of covered records, and to bring suit for alleged violations of the Privacy Act, only extend to U.S. citizens and legal permanent residents (as defined in 5 U.S.C. § 552a(a)(2)) and citizens of designated foreign countries or regional economic organizations (as defined under the Judicial Redress Act of 2015, 5 U.S.C. § 552a note).

FERC does not collect Personally Identifiable Information (PII) about you when you visit our website unless you decide to provide such information to us. Submitting PII through our website is voluntary, and by doing so, you are giving FERC your permission to use the information for a specific stated purpose. However, failure to provide certain information may result in the Commission’s inability to provide you with the service you desire.

Throughout our website, we will let you know whether the information we ask you to provide is voluntary or required. By providing PII, you grant us consent to use this information, but only for the primary reason you are giving it. We will ask you to grant us consent before using your voluntarily provided information for any secondary purposes, other than those required under the law.

If you choose to provide us with PII through the FERC website, by such methods as sending an email inquiry, registering for a FERC online service (e.g., electronic filing), or completing a FERC Online web application, we will use that information to help provide you the information or service you have requested. Required fields for FERC’s voluntary online forms are marked with an asterisk. If you do not fill out a required field, your request will not be processed. You automatically grant consent for use of this information when you enter the information online.

If we store your PII in a system of records designed to retrieve information about you by personal identifier (i.e., name, email address, home mailing address, personal or mobile phone number, etc.), we will safeguard the information you provide to us in accordance with the Privacy Act of 1974, as amended (5 U.S.C. § 552a). The Act requires all public-facing sites or forms that request PII to prominently display the appropriate privacy notice. Our principal purpose for collecting personal information online is to provide you with the requested service, to address security threats, and to ease the use of our website. We will only use your information for the intended purpose or for a purpose required under a law.

We collect information to:

• Respond to your complaints
• Reply to your “feedback comments”
• Manage your access to restricted areas of the website
• Fulfill requests for reports and other similar information
• Register for an account

Sharing Your Information

We may share personally identifiable information you provide to us online with representatives within FERC, other Federal government agencies, or other named representatives as needed to speed your request or transaction. In a government-wide effort to combat security and virus threats, we may share some information we collect automatically, such as IP address, with other Federal government agencies.

The FERC website and many of our programs allow you to correspond with us by email. We will use the information you provide to process your request or respond to your inquiry. Your email message may be forwarded to other Commission employees who are better able to help you. We will only send you general information via email. You should be aware that email is not necessarily secure against interception. Therefore, we suggest that you refrain from sending sensitive personally identifiable information (PII) (such as a social security number) to us through email.

Email does not constitute official communication with the Commission and is not normally entered into the public record of a formal Commission proceeding. However, email containing communication about a specific Commission proceeding, particularly if addressed to an individual Commission staff member, may be entered into the public record. Please read “Contact Us” for more information about how to communicate your needs properly, avoid impermissible ex parte communication, and ensure prompt service.

FERC does not share your email with any other outside organizations except if release is required by law, e.g., for authorized law enforcement investigations.

Electronic mail messages that meet the definition of records in the Federal Records Act (44 U.S.C. § 3301) are covered under the same disposition schedules as other Federal records. See 36 C.F.R. Part 1225. This means that emails you send us will be preserved and maintained for varying periods of time if those emails meet the definition of Federal records. Electronic messages that are not records are deleted when no longer needed.

When you visit or browse our website to read, print or download information, such as a filing or issuance, we will automatically collect information from your visit that does not identify you personally and will use certain information about your visit in the aggregate.

We automatically collect the following information about your visit:

• Domain from which you access the Internet;
• Internet Protocol (IP) address (an IP address is a number that is automatically assigned to a computer and establishes its location on the Internet and allows communications with other computers to send it content and other information);
• Type of Internet traffic associated with a specific IP address;
• Type of Internet traffic associated with a specific time or event;
• Type of technology used to access the website (such as the type of Internet browser and type of operating system;
• Date and time of a website visit;
• Content you visited or downloaded;
• The location associated with an event (such as apparent nation of origin); and
• Website (such as google.com or bing.com) or referral source (email notice or social media site) that connected you to the website.

We use the above information to measure the number of visitors to the different pages of our website, to assess system performance, and to help us make the website more useful to our visitors. In the event that a malicious behavior is detected, we may collect information on the web content you viewed during your visit.

The Office of Management and Budget (OMB) Memo M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies allows Federal agencies to use session and persistent cookies.

FERC uses web measurement and customization technologies, commonly known as “cookies,” to collect information about users’ visits to our site. When you visit the FERC website, our server may generate a “cookie” to place on your computer. A “cookie” is a small text file stored on your computer that allows websites to “remember” visitors’ preferences, and surging patterns and behavior while they are connected.

Cookies make it easier for you to use the dynamic features of webpages. Cookies from FERC.gov webpages only collect information about your browser’s visit to the site; they do not collet any personal information about you.

There are two types of cookies, single session (temporary) and multi-session (persistent).

Session Cookies: FERC uses “session cookies” also known as “Tier 1- single session web measurement and customization technologies,” to enable better navigation through our site. These cookies let our server know that you are continuing a visit to our site. Session cookies last only as long as your Web browser is open. This means we store the cookie on your computer only during your visit to our website. Once you close your browser, the cookies disappear. FERC websites may use session cookies for technical purposes such as to enable better navigation through the site, or to allow you to customize your preferences for interacting with the site. These cookies do not collect personal information on users.

Persistent Cookies: FERC uses persistent cookies to differentiate between new and returning visitors to our site. Persistent cookies can remain on your computer between visits unless a user deletes them. Some of these cookies may collect your personal information. FERC websites may use these cookies to remember you between visits so, for example, you can save your customized preference settings for future visits. If you do not wish to have session or persistent cookies stored on your machine, you can opt out or disable cookies in your browser. You will still have access to all information and resources at FERC. However, turning off cookies may affect the functioning of some Commission websites. Disabling cookies in your browser will affect cookie usage at all other websites you visit as well.

Google Analytics: FERC uses Google Analytics, a third-party analytics tool to collect and analyze anonymous statistical data. This data helps FERC meet user needs, understand web traffic patterns, and identify opportunities to improve the quality of the site. FERC uses anonymous, aggregated data for internal purposes and discloses it to FERC employees and contractors who have a “need-to-know” in the performance of their official duties.

Google Analytics uses a persistent cookie to store a unique, randomly assigned identifier for each user if the user opts in. The persistent cookie remains on users’ computers for two years or until it is deleted. Additionally, Google Analytics uses session cookies to facilitate sending data to Google Analytics. Google Analytics does not receive Personally Identifiable Information (PII) through these cookies and does not combine, match, or cross-reference FERC.gov information with any other information. The data is automatically sent from your machine or device to the provider’s system which immediately aggregates that data.

Properly securing the information we collect online is a primary commitment. To help us do this, we take the following steps:

• Employ internal access controls to ensure that the only people who see your information are those with a need to do so to perform their official duties.
• Train relevant personnel on privacy and security measures.
• Secure the areas where we hold hard copies of information we collect online.
• Perform regular backups of the information we collect online to insure against loss.
• Use technical controls to secure the information we collect online including but not limited to:
  • Secure Socket Layer (SSL)
  • Encryption
  • Firewalls
  • User ID and Password protections
• We periodically test our security procedures to ensure personnel and technical compliance.
• We employ external access safeguards to identify and prevent unauthorized attempts of outsiders to hack into or cause harm to the information in our systems.

By using this site, you are agreeing to security monitoring and auditing. For security purposes, and to ensure that the public service remains available to users, this government computer system employs programs to monitor network traffic to identify unauthorized attempts to upload or change information or to otherwise cause damage, including attempts to deny service to users.

Tampering with FERC website is against the law. Unauthorized attempts to upload information and/or to change information on any portion of this site are strictly prohibited and are subject to prosecution under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996 (see Title 18 U.S.C. §§1001 and 1030).

To ensure our website performs well for all users, FERC monitors the frequency of requests for FERC.gov content. We reserve the right to block Internet Protocol (IP) addresses that submit excessive requests.

Note that our policies are subject to change without notification to ensure this site performs efficiently and meet our mission statement.

FERC uses social media sites as information sharing tools to engage in discussion, to share information and media, and to collaborate with the public. Access to FERC’s social media sites is available at https://www.ferc.gov/. Your activity on these social media sites is governed by the security and privacy policies of the third-party sites. FERC does not control, moderate, or endorse the comments or opinions provided by visitors to these sites. You should review the privacy policies of all websites before using them and ensure that you understand how your information may be used. You should also adjust privacy settings on your account on any third-party website to match your preferences.

If you have an account with a third-party website, and choose to follow, like, friend, or comment on a FERC page on the third-party website, certain personal information associated with your account may be made available to us based on the privacy policies of the third-party website and your own privacy settings within that website. We do not disclose Personally Identifiable Information (PII) made available through these websites, unless required for law enforcement purposes or by statute consistent with the Privacy Act.

FERC is committed to ensuring compliance with all privacy laws, regulations, and policies related to the protection of personally identifiable information (PII) entrusted to the Commission by its customers, the public and its employees. The Senior Agency Official for Privacy (SAOP) is responsible for maintaining agency-wide compliance with all applicable statutes, regulations, and policies regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII.

The following is a summary of FERC’s privacy compliance process and documentation.

Privacy Threshold Analysis (PTA)

FERC’s privacy compliance process begins with completing a PTA on all Federal Information Security Management Act (FISMA) reportable systems. A PTA is a required document that serves as the official determination as to whether a system, subsystem, component, or application has privacy implications and if additional privacy compliance documentations are required, such as a PIA and a SORN.

A PTA determines whether a FERC system collects, stores, maintains, shares, disseminates, retains, or disposes of PII. Once it is determined a system collects PII, a PIA may be required.

Privacy Impact Assessment (PIA)

OMB defines a Privacy Impact Assessment (PIA) as "an analysis of how information is handled [in a particular automated system]: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks" (OMB Memorandum M-03-22 Attachment A Section II.A.6.)

A PIA is a decision-making tool used to identify and mitigate privacy risks at the beginning of and throughout the system development life cycle. A PIA is a publicly available document that informs the public about what PII FERC collects, why it is collected, and how it will be used, stored, maintained, retained, disseminated, shared, disposed of, and secured.

Once the Privacy Program Team reviews the PTA questionnaire and determines a PIA is required, they will work collaboratively with the system owner to prepare a PIA.

To view the PIA for a FERC automated system listed below, click on the system name:

• Intelliworx Cloud - Financial Disclosure
• eLibrary
• Office 365 (O365) Privacy Impact Assessment
• FERC Online (FOL) External
• FERC Online (FOL) Internal
• General Support System (GSS) 
• PeopleSoft Financials PIA
   

System of Records Notice (SORN)

The Privacy Act of 1974, as amended, defines a system of records as a group of records about the individual under the control of any Federal agency from which information about the individual is retrieved by a unique personal identifier, such as the name of the individual or by some identifying number, symbol, or other identifying distinction assigned to the individual. Records about an individual retrieved by a unique personal identifier require FERC to publish a SORN (formal notice) in the Federal Register, notifying the public about the purpose for which PII is collected, from whom it is collected, what type of PII is collected, how the PII is shared externally (through routine use(s)), and who to contact to access and amend records maintained by FERC. When a significant change occurs in a system of records, its SORN will need to be revised and republished in the Federal Register.

• List of FERC System of Records Notice (SORN)

Select the following FERC's exemptions to the Privacy Act

• FERC-58 – Critical Energy Infrastructure Information Records
• FERC 59 – Enforcement Investigations 
• FERC 60 – Hotline Records 

Privacy Act Statement

The Privacy Act of 1974 (5 U.S.C. 552a) provides protection to individuals by ensuring that personal information collected by Federal agencies is limited to that which is legally authorized and necessary and is maintained in a manner that prohibits unwarranted intrusions on individual privacy.

Pursuant to 5 U.S.C. §552a(e)(3), agencies are required to provide what is commonly referred to as a Privacy Act statement to individuals prior to the collection of Personally Identifiable Information (PII) that will be entered into a system of records (i.e., information that will be stored and retrieved using the individual’s name or other personal identifier, such as a social security number).