September 26, 2003
M-03-22
MEMORANDUM FOR HEADS
OF EXECUTIVE DEPARTMENTS AND AGENCIES
FROM: |
Joshua
B. Bolten
DirectoR |
|
SUBJECT: |
OMB
Guidance for Implementing the Privacy Provisions of the
E-Government
Act of 2002 |
The attached guidance provides information to agencies on implementing the
privacy provisions of the E-Government Act of 2002, which was signed by
the President on December 17, 2002 and became effective on April 17, 2003.
The Administration is committed to protecting the privacy of the American
people. This guidance document addresses privacy protections when Americans
interact with their government. The guidance directs agencies to conduct
reviews of how information about individuals is handled within their agency
when they use information technology (IT) to collect new information, or
when agencies develop or buy new IT systems to handle collections of personally
identifiable information. Agencies are also directed to describe how the
government handles information that individuals provide electronically,
so that the American public has assurances that personal information is
protected.
The privacy objective of the E-Government Act complements the National Strategy
to Secure Cyberspace. As the National Strategy indicates, cyberspace security
programs that strengthen protections for privacy and other civil liberties,
together with strong privacy policies and practices in the federal agencies,
will ensure that information is handled in a manner that maximizes both
privacy and security. Background
Section 208 of the E-Government Act of 2002 (Public Law 107-347, 44 U.S.C.
Ch 36) requires that OMB issue guidance to agencies on implementing the
privacy provisions of the E-Government Act (see Attachment A). The text
of section 208 is provided as Attachment B to this Memorandum. Attachment
C provides a general outline of regulatory requirements pursuant to the
Children’s Online Privacy Protection Act (“COPPA”). Attachment
D summarizes the modifications to existing guidance resulting from this
Memorandum. A complete list of OMB privacy guidance currently in effect
is available at OMB’s website.
As OMB has previously communicated to agencies, for purposes of their FY2005
IT budget requests, agencies should submit all required Privacy Impact Assessments
no later than October 3, 2003.
For any questions about this guidance, contact Eva Kleederman, Policy Analyst,
Information Policy and Technology Branch, Office of Management and Budget,
phone (202) 395-3647, fax (202) 395-5167, e-mail Eva_Kleederman@omb.eop.gov.
Attachments
Attachment
A
Attachment B
Attachment C
Attachment D
Attachment
A
E-Government
Act Section 208 Implementation Guidance
I. General
- Requirements.
Agencies are required to:
- conduct privacy
impact assessments for electronic information systems and collections
and, in general, make them publicly available (see Section II of this
Guidance),
- post privacy
policies on agency websites used by the public (see Section III),
- translate privacy
policies into a standardized machine-readable format (see Section
IV), and
- report annually
to OMB on compliance with section 208 of the E-Government Act of 2002
(see Section VII).
- Application.
This guidance applies to:
- all executive
branch departments and agencies (“agencies”) and their
contractors that use information technology or that operate websites
for purposes of interacting with the public;
- relevant
cross-agency initiatives, including those that further electronic
government.
Modifications
to Current Guidance. Where indicated, this Memorandum modifies
the following three memoranda, which are replaced by this guidance (see
summary of modifications at Attachment D):
- Memorandum 99-05 (January 7, 1999), directing agencies to examine their procedures
for ensuring the privacy of personal information in federal records
and to designate a senior official to assume primary responsibility
for privacy policy;
- Memorandum
99-18 (June 2, 1999), concerning posting privacy policies on major
entry points to government web sites as well as on any web page collecting
substantial personal information from the public; and
- Memorandum
00-13 (June 22, 2000), concerning (i) the use of tracking technologies
such as persistent cookies and (ii) parental consent consistent with
the Children’s Online Privacy Protection Act (“COPPA”).
II. Privacy
Impact Assessment
A. Definitions.
- Individual
- means a citizen of the United States or an alien lawfully admitted
for permanent residence.1
- Information
in identifiable form- is information in an IT system or online collection: (i) that directly
identifies an individual (e.g., name, address, social security number
or other identifying number or code, telephone number, email address,
etc.) or (ii) by which an agency intends to identify specific individuals
in conjunction with other data elements, i.e., indirect identification.
(These data elements may include a combination of gender, race, birth
date, geographic indicator, and other descriptors).2
- Information
technology (IT) - means, as defined in the Clinger-Cohen Act3,
any equipment, software or interconnected system or subsystem that
is used in the automatic acquisition, storage, manipulation, management,
movement, control, display, switching, interchange, transmission,
or reception of data or information.
- Major information
system - embraces “large” and “sensitive”
information systems and means, as defined in OMB Circular A-130 (Section
6.u.) and annually in OMB Circular A-11 (section 300-4 (2003)), a
system or project that requires special management attention because
of its: (i) importance to the agency mission, (ii) high development,
operating and maintenance costs, (iii) high risk, (iv) high return,
(v) significant role in the administration of an agency’s programs,
finances, property or other resources.
- National
Security Systems - means, as defined in the Clinger-Cohen Act4,
an information system operated by the federal government, the function,
operation or use of which involves: (a) intelligence activities, (b)
cryptologic activities related to national security, (c) command and
control of military forces, (d) equipment that is an integral part
of a weapon or weapons systems, or (e) systems critical to the direct
fulfillment of military or intelligence missions, but does not include
systems used for routine administrative and business applications,
such as payroll, finance, logistics and personnel management.
- Privacy
Impact Assessment (PIA)- is an analysis of how information is handled: (i) to ensure handling
conforms to applicable legal, regulatory, and policy requirements
regarding privacy, (ii) to determine the risks and effects of collecting,
maintaining and disseminating information in identifiable form in
an electronic information system, and (iii) to examine and evaluate
protections and alternative processes for handling information to
mitigate potential privacy risks.
- Privacy
policy in standardized machine-readable format- means a statement about site privacy practices written in a standard
computer language (not English text) that can be read automatically
by a web browser.
- When
to conduct a PIA:5
- The E-Government
Act requires agencies to conduct a PIA before:
- developing
or procuring IT systems or projects that collect, maintain or
disseminate information in identifiable form from or about members
of the public, or
- initiating,
consistent with the Paperwork Reduction Act, a new electronic
collection of information in identifiable form for 10 or more
persons (excluding agencies, instrumentalities or employees of
the federal government).
- In general,
PIAs are required to be performed and updated as necessary where a
system change creates new privacy risks. For example:
- Conversions - when converting paper-based records to electronic
systems;
- Anonymous
to Non-Anonymous - when functions applied to an existing information
collection change anonymous information into information in identifiable
form;
- Significant
System Management Changes - when new uses of an existing IT system,
including application of new technologies, significantly change
how information in identifiable form is managed in the system:
- For
example, when an agency employs new relational database technologies
or web-based processing to access multiple data stores; such
additions could create a more open environment and avenues
for exposure of data that previously did not exist.
- Significant
Merging - when agencies adopt or alter business processes so that
government databases holding information in identifiable form
are merged, centralized, matched with other databases or otherwise
significantly manipulated:
- For
example, when databases are merged to create one central source
of information; such a link may aggregate data in ways that
create privacy concerns not previously at issue.
- New Public
Access - when user-authenticating technology (e.g., password,
digital certificate, biometric) is newly applied to an electronic
information system accessed by members of the public;
- Commercial
Sources - when agencies systematically incorporate into existing
information systems databases of information in identifiable form
purchased or obtained from commercial or public sources. (Merely
querying such a source on an ad hoc basis using existing technology
does not trigger the PIA requirement);
- New Interagency
Uses - when agencies work together on shared functions involving
significant new uses or exchanges of information in identifiable
form, such as the cross-cutting E-Government initiatives; in such
cases, the lead agency should prepare the PIA;
- For
example the Department of Health and Human Services, the lead
agency for the Administration’s Public Health Line of
Business (LOB) Initiative, is spearheading work with several
agencies to define requirements for integration of processes
and accompanying information exchanges. HHS would thus prepare
the PIA to ensure that all privacy issues are effectively
managed throughout the development of this cross agency IT
investment.
- Internal
Flow or Collection - when alteration of a business process results
in significant new uses or disclosures of information or incorporation
into the system of additional items of information in identifiable
form:
- For
example, agencies that participate in E-Gov initiatives could
see major changes in how they conduct business internally
or collect information, as a result of new business processes
or E-Gov requirements. In most cases the focus will be on
integration of common processes and supporting data. Any business
change that results in substantial new requirements for information
in identifiable form could warrant examination of privacy
issues.
- Alteration
in Character of Data - when new information in identifiable form
added to a collection raises the risks to personal privacy (for
example, the addition of health or financial information)
- No PIA
is required where information relates to internal government operations,
has been previously assessed under an evaluation similar to a PIA,
or where privacy issues are unchanged, as in the following circumstances:
- for government-run
websites, IT systems or collections of information to the extent
that they do not collect or maintain information in identifiable
form about members of the general public (this includes government
personnel and government contractors and consultants);6
- for government-run
public websites where the user is given the option of contacting
the site operator for the limited purposes of providing feedback
(e.g., questions or comments) or obtaining additional information;
- for national
security systems defined at 40 U.S.C. 11103 as exempt from the
definition of information technology (see section 202(i) of the
E-Government Act);
- when all
elements of a PIA are addressed in a matching agreement governed
by the computer matching provisions of the Privacy Act (see 5
U.S.C. §§ 552a(8-10), (e)(12), (o), (p), (q), (r), (u)),
which specifically provide privacy protection for matched information;
- when all
elements of a PIA are addressed in an interagency agreement permitting
the merging of data for strictly statistical purposes and where
the resulting data are protected from improper disclosure and
use under Title V of the E-Government Act of 2002;
- if agencies
are developing IT systems or collecting non-identifiable information
for a discrete purpose, not involving matching with or retrieval
from other databases that generates information in identifiable
form;
- for minor
changes to a system or collection that do not create new privacy
risks.
- Update
of PIAs: Agencies
must update their PIAs to reflect changed information collection authorities,
business processes or other factors affecting the collection and handling
of information in identifiable form.
- Conducting
a PIA.
- Content.
- PIAs must
analyze and describe:
- what
information is to be collected (e.g., nature and source);
- why
the information is being collected (e.g., to determine eligibility);
- intended
use of the information (e.g., to verify existing data);
- with
whom the information will be shared (e.g., another agency
for a specified programmatic purpose);
- what
opportunities individuals have to decline to provide information
(i.e., where providing information is voluntary) or to consent
to particular uses of the information (other than required
or authorized uses), and how individuals can grant consent;
- how
the information will be secured (e.g., administrative and
technological controls7); and
- whether
a system of records is being created under the Privacy Act,
5 U.S.C. 552a.
- Analysis:
PIAs must identify what choices the agency made regarding an IT
system or collection of information as a result of performing
the PIA.
- Agencies should
commence a PIA when they begin to develop a new or significantly modified
IT system or information collection:
- Specificity.
The
depth and content of the PIA should be appropriate for the nature
of the information to be collected and the size and complexity
of the IT system.
- IT
development stage. PIAs conducted at this stage:
- should address privacy in the documentation related to
systems development, including, as warranted and appropriate,
statement of need, functional requirements analysis, alternatives
analysis, feasibility analysis, benefits/cost analysis,
and, especially, initial risk assessment;
- should address the impact the system will have on an individual’s
privacy, specifically identifying and evaluating potential
threats relating to each of the elements identified in
section II.C.1.a.(i)-(vii) above, to the extent these
elements are known at the initial stages of development;
- may need to be updated before deploying the system to
consider elements not identified at the concept stage
(e.g., retention or disposal of information), to reflect
a new information collection, or to address choices made
in designing the system or information collection as a
result of the analysis.
- Major
information systems. PIAs conducted for these systems
should reflect more extensive analyses of:
- the consequences of collection and flow of information,
- the alternatives to collection and handling as designed,
- the
appropriate measures to mitigate risks identified for
each alternative and,
- the rationale for the final design choice or business
process.
- Routine
database systems. Agencies may use a standardized approach
(e.g., checklist or template) for PIAs involving simple systems
containing routine information and involving limited use and
access.
- Information
life cycle analysis/collaboration. Agencies must consider
the information “life cycle” (i.e., collection, use,
retention, processing, disclosure and destruction) in evaluating
how information handling practices at each stage may affect individuals’
privacy. To be comprehensive and meaningful, privacy impact assessments
require collaboration by program experts as well as experts in
the areas of information technology, IT security, records management
and privacy.
- Review
and publication.
- a. Agencies
must ensure that:
- the
PIA document and, if prepared, summary are approved by a “reviewing
official” (the agency CIO or other agency head designee,
who is other than the official procuring the system or the
official who conducts the PIA);
- for
each covered IT system for which 2005 funding is requested,
and consistent with previous guidance from OMB, the PIA is
submitted to the Director of OMB no later than October 3,
2003 (submitted electronically to PIA@omb.eop.gov
along with the IT investment’s unique identifier as
described in OMB Circular A-11, instructions for the Exhibit
3008); and
- the
PIA document and, if prepared, summary, are made publicly
available (consistent with executive branch policy on the
release of information about systems for which funding is
proposed).
- Agencies may determine to not make the PIA document or
summary publicly available to the extent that publication
would raise security concerns, reveal classified (i.e.,
national security) information or sensitive information
(e.g., potentially damaging to a national interest, law
enforcement effort or competitive business interest) contained
in an assessment9. Such information
shall be protected and handled consistent with the Freedom
of Information Act (FOIA).
- Agencies should not include information in identifiable
form in their privacy impact assessments, as there is
no need for the PIA to include such information. Thus,
agencies may not seek to avoid making the PIA publicly
available on these grounds.
- Relationship to requirements under the Paperwork Reduction Act (PRA)10.
- Joint Information
Collection Request (ICR) and PIA. Agencies undertaking new electronic
information collections may conduct and submit the PIA to OMB, and
make it publicly available, as part of the SF83 Supporting Statement
(the request to OMB to approve a new agency information collection).
- If Agencies
submit a Joint ICR and PIA:
- All elements
of the PIA must be addressed and identifiable within the structure
of the Supporting Statement to the ICR, including:
- a description
of the information to be collected in the response to Item
1 of the Supporting Statement11;
- a description
of how the information will be shared and for what purpose
in Item 2 of the Supporting Statement12;
- a statement
detailing the impact the proposed collection will have on
privacy in Item 2 of the Supporting Statement13;
- a discussion
in item 10 of the Supporting Statement of:
- whether individuals are informed that providing the information
is mandatory or voluntary
- opportunities to consent, if any, to sharing and submission
of information;
- how the information will be secured; and
- whether a system of records is being created under the
Privacy Act)14.
- For additional
information on the requirements of an ICR, please consult your
agency’s organization responsible for PRA compliance.
- Agencies need
not conduct a new PIA for simple renewal requests for information
collections under the PRA. As determined by reference to section II.B.2.
above, agencies must separately consider the need for a PIA when amending
an ICR to collect information that is significantly different in character
from the original collection.
-
Relationship to requirements under the Privacy Act of 1974, 5 U.S. C.
552a.
- Agencies
may choose to conduct a PIA when developing the System of Records
(SOR) notice required by subsection (e)(4) of the Privacy Act, in
that the PIA and SOR overlap in content (e.g., the categories of
records in the system, the uses of the records, the policies and
practices for handling, etc.).
- Agencies,
in addition, may make the PIA publicly available in the Federal
Register along with the Privacy Act SOR notice.
- Agencies
must separately consider the need for a PIA when issuing a change
to a SOR notice (e.g., a change in the type or category of record
added to the system may warrant a PIA).
III. Privacy
Policies on Agency Websites
- Privacy
Policy Clarification. To promote clarity to the public, agencies
are required to refer to their general web site notices explaining agency
information handling practices as the “Privacy Policy.”
- Effective
Date. Agencies are expected to implement the following changes
to their websites by December 15, 2003.
- Exclusions:
For purposes of web privacy policies, this guidance does not apply
to:
- information
other than “government information” as defined in OMB
Circular A-130;
- agency intranet
web sites that are accessible only by authorized government users
(employees, contractors, consultants, fellows, grantees);
- national
security systems defined at 40 U.S.C. 11103 as exempt from the definition
of information technology (see section 202(i) of the E-government
Act).
- Content
of Privacy Policies.
- Agency Privacy
Policies must comply with guidance issued in OMB Memorandum
99-18 and must now also include the following two new content
areas:
- Consent
to collection and sharing15.
Agencies must now ensure that privacy policies:
- inform
visitors whenever providing requested information is voluntary;
- inform
visitors how to grant consent for use of voluntarily-provided
information; and
- inform
visitors how to grant consent to use mandatorily-provided
information for other than statutorily-mandated uses or
authorized routine uses under the Privacy Act.
- Rights
under the Privacy Act or other privacy laws16.
Agencies must now also notify web-site visitors of their rights
under the Privacy Act or other privacy-protecting laws that
may primarily apply to specific agencies (such as the Health
Insurance Portability and Accountability Act of 1996, the IRS
Restructuring and Reform Act of 1998, or the Family Education
Rights and Privacy Act):
- in
the body of the web privacy policy;
- via
link to the applicable agency regulation (e.g., Privacy
Act regulation and pertinent system notice); or
- via
link to other official summary of statutory rights (such
as the summary of Privacy Act rights in the FOIA/Privacy
Act Reference Materials posted by the Federal Consumer Information
Center at www.Firstgov.gov).
- Agency Privacy
Policies must continue to address the following, modified, requirements:
- Nature,
purpose, use and sharing of information collected . Agencies should
follow existing policies (issued in OMB
Memorandum 99-18) concerning notice of the nature, purpose,
use and sharing of information collected via the Internet, as
modified below:
- Privacy
Act information. When agencies collect information subject
to the Privacy Act, agencies are directed to explain what
portion of the information is maintained and retrieved by
name or personal identifier in a Privacy Act system of records
and provide a Privacy Act Statement either:
- at the point of collection, or
- via link to the agency’s general Privacy Policy18.
- “Privacy
Act Statements.” Privacy Act Statements must notify
users of the authority for and purpose and use of the collection
of information subject to the Privacy Act, whether providing
the information is mandatory or voluntary, and the effects
of not providing all or any part of the requested information.
- Automatically
Collected Information (site management data). Agency
Privacy Policies must specify what information the agency
collects automatically (i.e., user’s IP address, location,
and time of visit) and identify the use for which it is collected
(i.e., site management or security purposes).
- Interaction
with children: Agencies that provide content to children
under 13 and that collect personally identifiable information
from these visitors should incorporate the requirements of
the Children’s Online Privacy Protection Act (“COPPA”)
into their Privacy Policies (see Attachment C)19.
- Tracking and customization activities.Agencies are directed to adhere to the following modifications
to OMB Memorandum 00-13 and the
OMB follow-up guidance letter dated
September 5, 2000:
- Tracking technology prohibitions:
- agencies are prohibited from using persistent cookies
or any other means (e.g., web beacons) to track visitors’
activity on the Internet except as provided in subsection
(b) below;
- agency heads may approve, or may authorize the heads
of sub-agencies or senior official(s) reporting directly
to the agency head to approve, the use of persistent
tracking technology for a compelling need. When used,
agency’s must post clear notice in the agency’s
privacy policy of:
- the nature of the information collected;
- the
purpose and use for the information;
- whether and to whom the information will be disclosed;
and
- the privacy safeguards applied to the information
collected.
- agencies
must report the use of persistent tracking technologies
as authorized for use by subsection b. above (see
section VII)20.
- The following technologies are not prohibited:
- Technology that is used to facilitate a visitor’s
activity within a single session (e.g., a “session
cookie”) and does not persist over time is not
subject to the prohibition on the use of tracking
technology.
- Customization technology (to customize a website at
the visitor’s request) if approved by the agency
head or designee for use (see v.1.b above) and where
the following is posted in the Agency’s Privacy
Policy:
- the purpose of the tracking (i.e., customization
of the site);
- that accepting the customizing feature is voluntary;
- that declining the feature still permits the individual
to use the site; and
- the privacy safeguards in place for handling the
information collected.
- Agency use of password access to information that
does not involve “persistent cookies”
or similar technology.
- Law
enforcement and homeland security sharing: Consistent
with current practice, Internet privacy policies may reflect
that collected information may be shared and protected as
necessary for authorized law enforcement, homeland security
and national security activities.
- Security
of the information21. Agencies
should continue to comply with existing requirements for computer
security in administering their websites22
and post the following information in their Privacy Policy:
- in
clear language, information about management, operational
and technical controls ensuring the security and confidentiality
of personally identifiable records (e.g., access controls,
data storage procedures, periodic testing of safeguards, etc.),
and
- in
general terms, information about any additional safeguards
used to identify and prevent unauthorized attempts to access
or cause harm to information and systems. (The statement should
be at a level to inform the public that their information
is being protected while not compromising security.)
- Placement
of notices. Agencies should continue to follow the policy identified
in OMB Memorandum 99-18 regarding the posting
of privacy policies on their websites. Specifically, agencies must post
(or link to) privacy policies at:
- their principal
web site;
- any known,
major entry points to their sites;
- any web page
that collects substantial information in identifiable form.
- Clarity
of notices. Consistent with OMB
Memorandum 99-18, privacy policies must be:
- clearly labeled
and easily accessed;
- written in
plain language; and
- made clear
and easy to understand, whether by integrating all information and
statements into a single posting, by layering a short “highlights”
notice linked to full explanation, or by other means the agency
determines is effective.
IV. Privacy
Policies in Machine-Readable Formats
-
Actions.
- Agencies must
adopt machine readable technology that alerts users automatically
about whether site privacy practices match their personal privacy
preferences. Such technology enables users to make an informed choice
about whether to conduct business with that site.
- OMB encourages
agencies to adopt other privacy protective tools that become available
as the technology advances.
- Reporting
Requirement. Agencies must develop a timetable for translating
their privacy policies into a standardized machine-readable format.
The timetable must include achievable milestones that show the agency’s
progress toward implementation over the next year. Agencies must include
this timetable in their reports to OMB (see Section VII).
V. Privacy
Policies Incorporated by this Guidance
In addition to the
particular actions discussed above, this guidance reiterates general directives
from previous OMB Memoranda regarding the privacy of personal information
in federal records and collected on federal web sites. Specifically, existing
policies continue to require that agencies:
- assure that their
uses of new information technologies sustain, and do not erode, the
protections provided in all statutes relating to agency use, collection,
and disclosure of personal information;
- assure that personal
information contained in Privacy Act systems of records be handled in
full compliance with fair information practices as set out in the Privacy
Act of 1974;
- evaluate legislative
proposals involving collection, use and disclosure of personal information
by the federal government for consistency with the Privacy Act of 1974;
- evaluate legislative
proposals involving the collection, use and disclosure of personal information
by any entity, public or private, for consistency with the Privacy Principles;
- ensure full adherence
with stated privacy policies.
VI. Agency
Privacy Activities/Designation of Responsible Official
Because of the capability of information technology to capture and disseminate
information in an instant, all federal employees and contractors must
remain mindful of privacy and their obligation to protect information
in identifiable form. In addition, implementing the privacy provisions
of the E-Government Act requires the cooperation and coordination of privacy,
security, FOIA/Privacy Act and project officers located in disparate organizations
within agencies. Clear leadership and authority are essential.
Accordingly, this guidance builds on policy introduced in Memorandum 99-05
in the following ways:
- Agencies must:
- inform and
educate employees and contractors of their responsibility for protecting
information in identifiable form;
- identify
those individuals in the agency (e.g., information technology personnel,
Privacy Act Officers) that have day-to-day responsibility for implementing
section 208 of the E-Government Act, the Privacy Act, or other privacy
laws and policies.
- designate
an appropriate senior official or officials (e.g., CIO, Assistant
Secretary) to serve as the agency’s principal contact(s) for
information technology/web matters and for privacy policies. The
designated official(s) shall coordinate implementation of OMB web
and privacy policy and guidance.
- designate
an appropriate official (or officials, as appropriate) to serve
as the “reviewing official(s)” for agency PIAs.
- OMB leads a committee
of key officials involved in privacy that reviewed and helped shape
this guidance and that will review and help shape any follow-on privacy
and web-privacy-related guidance. In addition, as part of overseeing
agencies’ implementation of section 208, OMB will rely on the
CIO Council to collect information on agencies’ initial experience
in preparing PIAs, to share experiences, ideas, and promising practices
as well as identify any needed revisions to OMB’s guidance on
PIAs.
VII. Reporting
Requirements
Agencies are required to submit an annual report on compliance with this
guidance to OMB as part of their annual E-Government Act status report.
The first reports are due to OMB by December 15, 2003. All agencies that
use information technology systems and conduct electronic information
collection activities must complete a report on compliance with this guidance,
whether or not they submit budgets to OMB.
Reports must address
the following four elements:
- Information
technology systems or information collections for which PIAs were conducted.
Include the mechanism by which the PIA was made publicly available (website,
Federal Register, other), whether the PIA was made publicly available
in full, summary form or not at all (if in summary form or not at all,
explain), and, if made available in conjunction with an ICR or SOR,
the publication date.
- Persistent
tracking technology uses. If persistent tracking technology is
authorized, include the need that compels use of the technology, the
safeguards instituted to protect the information collected, the agency
official approving use of the tracking technology, and the actual privacy
policy notification of such use.
- Agency achievement
of goals for machine readability: Include goals for and progress
toward achieving compatibility of privacy policies with machine-readable
privacy protection technology.
- Contact information.
Include the individual(s) (name and title) appointed by the head of
the Executive Department or agency to serve as the agency’s principal
contact(s) for information technology/web matters and the individual
(name and title) primarily responsible for privacy policies.
Attachment
B
E-Government Act of 2002
Pub. L. No. 107-347, Dec. 17, 2002
SEC. 208.
PRIVACY PROVISIONS.
A. PURPOSE. —
The purpose of this section is to ensure sufficient protections for the
privacy of personal information as agencies implement citizen-centered
electronic Government.
B. PRIVACY IMPACT
ASSESSMENTS.—
- RESPONSIBILITIES
OF AGENCIES.—
- IN GENERAL.—An
agency shall take actions described under subparagraph (b) before—
- developing
or procuring information technology that collects, maintains,
or disseminates information that is in an identifiable form;
or
- initiating
a new collection of information that—
- will
be collected, maintained, or disseminated using information
technology; and
- includes
any information in an identifiable form permitting the physical
or online contacting of a specific individual, if identical
questions have been posed to, or identical reporting requirements
imposed on, 10 or more persons, other than agencies, instrumentalities,
or employees of the Federal Government.
- AGENCY ACTIVITIES.
—To the extent required under subparagraph (a), each agency
shall—
- conduct
a privacy impact assessment;
- ensure
the review of the privacy impact assessment by the Chief Information
Officer, or equivalent official, as determined by the head of
the agency; and
- if practicable,
after completion of the review under clause (ii), make the privacy
impact assessment publicly available through the website of
the agency, publication in the Federal Register, or other means.
- SENSITIVE
INFORMATION. —Subparagraph (b)(iii) may be modified or waived
for security reasons, or to protect classified, sensitive, or private
information contained in an assessment.
- COPY TO DIRECTOR.
—Agencies shall provide the Director with a copy of the privacy
impact assessment for each system for which funding is requested.
- CONTENTS OF A
PRIVACY IMPACT ASSESSMENT. —
- IN GENERAL.
—The Director shall issue guidance to agencies specifying
the required contents of a privacy impact assessment.
- GUIDANCE. — The guidance shall—
- ensure that a privacy impact assessment is commensurate with
the size of the information system being assessed, the sensitivity
of information that is in an identifiable form in that system,
and the risk of harm from unauthorized release of that information;
and
- require that a privacy impact assessment address—
- what information is to be collected;
- why the information is being collected;
- the intended use of the agency of the information;
- with whom the information will be shared;
- what notice or opportunities for consent would be provided
to individuals regarding what information is collected and
how that information is shared;
- how the information will be secured; and
- whether a system of records is being created under section
552a of title 5, United States Code, (commonly referred to
as the `Privacy Act').
- RESPONSIBILITIES OF THE DIRECTOR.—The Director shall—
- develop policies and guidelines for agencies on the conduct of
privacy impact assessments;
- oversee the implementation of the privacy impact assessment process
throughout the Government; and
- require agencies to conduct privacy impact assessments of existing
information systems or ongoing collections of information that is
in an identifiable form as the Director determines appropriate.
C. PRIVACY PROTECTIONS ON AGENCY WEBSITES. —
- PRIVACY POLICIES ON WEBSITES. —
- GUIDELINES FOR NOTICES. —The Director shall develop guidance
for privacy notices on agency websites used by the public.
- CONTENTS. —The guidance shall require that a privacy notice
address, consistent with section 552a of title 5, United States
Code—
- what information is to be collected;
- why the information is being collected;
- the intended use of the agency of the information;
- with whom the information will be shared;
- what notice or opportunities for consent would be provided
to individuals regarding what information is collected and how
that information is shared;
- how the information will be secured; and
- the rights of the individual under section 552a of title
5, United States Code (commonly referred to as the `Privacy
Act'), and other laws relevant to the protection of the privacy
of an individual.
- PRIVACY POLICIES IN MACHINE-READABLE FORMATS. — The Director
shall issue guidance requiring agencies to translate privacy policies
into a standardized machine-readable format.
D. DEFINITION. —In this section, the term `identifiable form' means
any representation of information that permits the identity of an individual
to whom the information applies to be reasonably inferred by either direct
or indirect means.
Attachment C
This attachment is a summary by the Federal Trade Commission of its
guidance regarding federal agency compliance with the Children’s
Online Privacy Protection Act (COPPA).
The hallmarks of COPPA for purposes of federal online activity are (i)
notice of information collection practices (ii) verifiable parental consent
and (iii) access, as generally outlined below:
- Notice of Information Collection Practices
Agencies whose Internet sites offer a separate children’s area
and collect personal information from them must post a clear and prominent
link to its Internet privacy policy on the home page of the children’s
area and at each area where it collects personal information from children.
The privacy policy should provide the name and contact information of
the agency representative required to respond to parental inquiries
about the site. Importantly, the privacy policy should inform parents
about the kinds of information collected from children, how the information
is collected (directly, or through cookies), how the information is
used, and procedures for reviewing/deleting the information obtained
from children.
In addition, the privacy policy should inform parents that only the
minimum information necessary for participation in the activity is collected
from the child.In addition to providing notice by posting a privacy
policy, notice of an Internet site’s information collection practices
must be sent directly to a parent when a site is requesting parental
consent to collection personal information from a child. This direct
notice should tell parents that the site would like to collect personal
information from their child, that their consent is required for this
collection, and how consent can be provided. The notice should also
contain the information set forth in the site’s privacy policy,
or provide an explanatory link to the privacy policy.
- Verifiable Parental Consent
With limited exceptions, agencies must obtain parental consent before
collecting any personal information from children under the age of 13.
If agencies are using the personal information for their internal use
only, they may obtain parental consent through an e-mail message from
the parent, as long as they take additional steps to increase the likelihood
that the parent has, in fact, provided the consent. For example, agencies
might seek confirmation from a parent in a delayed confirmatory e-mail,
or confirm the parent’s consent by letter or phone call23.
However, if agencies disclose the personal information to third parties
or the public (through chat rooms or message boards), only the most
reliable methods of obtaining consent must be used. These methods include:
(i) obtaining a signed form from the parent via postal mail or facsimile,
(ii) accepting and verifying a credit card number in connection with
a transaction, (iii) taking calls from parents through a toll-free telephone
number staffed by trained personnel, or (iv) email accompanied by digital
signature.
Although COPPA anticipates that private sector Internet operators may
share collected information with third parties (for marketing or other
commercial purposes) and with the public (through chat rooms or message
boards), as a general principle, federal agencies collect information
from children only for purposes of the immediate online activity or
other, disclosed, internal agency use. (Internal agency use of collected
information would include release to others who use it solely to provide
support for the internal operations of the site or service, including
technical support and order fulfillment.) By analogy to COPPA and consistent
with the Privacy Act, agencies may not use information collected from
children in any manner not initially disclosed and for which explicit
parental consent has not been obtained. Agencies’ Internet privacy
policies should reflect these disclosure and consent principles.
COPPA’s implementing regulations include several exceptions to
the requirement to obtain advance parental consent where the Internet
operator (here, the agency) collects a child’s email address for
the following purposes: (i) to provide notice and seek consent, (ii)
to respond to a one-time request from a child before deleting it, (iii)
to respond more than once to a specific request, e.g., for a subscription
to a newsletter, as long as the parent is notified of, and has the opportunity
to terminate a continuing series of communications, (iv) to protect
the safety of a child, so long as the parent is notified and given the
opportunity to prevent further use of the information, and (v) to protect
the security or liability of the site or to respond to law enforcement
if necessary.
Agencies should send a new notice and request for consent to parents
any time the agency makes material changes in the collection or use
of information to which the parent had previously agreed. Agencies should
also make clear to parents that they may revoke their consent, refuse
to allow further use or collection of the child’s personal information
and direct the agency to delete the information at any time.
- Access
At a parent’s request, agencies must disclose the general kinds
of personal information they collect online from children as well as
the specific information collected from a child. Agencies must use reasonable
procedures to ensure they are dealing with the child’s parent
before they provide access to the child’s specific information,
e.g., obtaining signed hard copy of identification, accepting and verifying
a credit card number, taking calls from parents on a toll-free line
staffed by trained personnel, email accompanied by digital signature,
or email accompanied by a PIN or password obtained through one of the
verification methods above.
In adapting the provisions of COPPA to their Internet operations, agencies
should consult the FTC’s web site at http://www.ftc.gov/privacy/privacyinitiatives/childrens.html
or call the COPPA compliance telephone line at (202) 326-3140.
Attachment D
Summary of Modifications to Prior Guidance
This Memorandum modifies prior guidance in the following ways:
* Internet Privacy Policies (Memorandum 99-18):
- must identify when tracking technology is used to personalize the
interaction, and explain the purpose of the feature and the visitor’s
option to decline it.
- must clearly explain when information is maintained and retrieved
by personal identifier in a Privacy Act system of records; must provide
(or link to) a Privacy Act statement (which may be subsumed within agency’s
Internet privacy policy) where Privacy Act information is solicited.
- should clearly explain an individual’s rights under the Privacy
Act if solicited information is to be maintained in a Privacy Act system
of records; information about rights under the Privacy Act may be provided
in the body of the web privacy policy or via link to the agency’s
published systems notice and Privacy Act regulation or other summary
of rights under the Privacy Act (notice and explanation of rights under
other privacy laws should be handled in the same manner).
- when a Privacy Act Statement is not required, must link to the agency’s
Internet privacy policy explaining the purpose of the collection and
use of the information (point-of-collection notice at agency option).
- must clearly explain where the user may consent to the collection
or sharing of information and must notify users of any available mechanism
to grant consent.
- agencies must undertake to make their Internet privacy policies “readable”
by privacy protection technology and report to OMB their progress in
that effort.
- must adhere to the regulatory requirements of the Children’s
Online Privacy Protection Act (COPPA) when collecting information electronically
from children under age 13.
*Tracking Technology (Memorandum 00-13):
- prohibition against tracking visitors’ Internet use extended
to include tracking by any means (previous guidance addressed only “persistent
cookies”).? authority to waive the prohibition on tracking in
appropriate circumstances may be retained by the head of an agency,
or may be delegated to (i) senior official(s) reporting directly to
the agency head, or to (ii) the heads of sub-agencies.? agencies must
report the use of tracking technology to OMB, identifying the circumstances,
safeguards and approving official.
- agencies using customizing technology must explain the use, voluntary
nature of and the safeguards applicable to the customizing device in
the Internet privacy policy.
- agency heads or their designees may approve the use of persistent
tracking technology to customize Internet interactions with the government.
* Privacy responsibilities (Memorandum 99-05)
- agencies to identify individuals with day-to-day responsibility for
implementing the privacy provisions of the E-Government Act, the Privacy
Act and any other applicable statutory privacy regime.
- agencies to report to OMB the identities of senior official(s) primarily
responsible for implementing and coordinating information technology/web
policies and privacy policies.
- Agencies may, consistent with individual
practice, choose to extend the protections of the Privacy Act and
E-Government Act to businesses, sole proprietors, aliens, etc.
- Information in identifiable form is defined in section
208(d) of the Act as “any representation of information that permits
the identity of an individual to whom the information applies to be
reasonably inferred by either direct or indirect means.” Information
“permitting the physical or online contacting of a specific individual”
(see section 208(b)(1)(A)(ii)(II)) is the same as “information
in identifiable form.”
- Clinger-Cohen Act of 1996, 40 U.S.C. 11101(6).
- Clinger-Cohen Act of 1996, 40 U.S.C. 11103.
- In addition to these statutorily prescribed activities,
the E-Government Act authorizes the Director of OMB to require agencies
to conduct PIAs of existing electronic information systems or ongoing
collections of information in identifiable form as the Director determines
appropriate. (see section 208(b)(3)(C)).
- Information in identifiable form about government
personnel generally is protected by the Privacy Act of 1974. Nevertheless,
OMB encourages agencies to conduct PIAs for these systems as appropriate.
- Consistent with agency requirements under the Federal
Information Security Management Act, agencies should: (i) affirm that
the agency is following IT security requirements and procedures required
by federal law and policy to ensure that information is appropriately
secured, (ii) acknowledge that the agency has conducted a risk assessment,
identified appropriate security controls to protect against that risk,
and implemented those controls, (iii) describe the monitoring/testing/evaluating
on a regular basis to ensure that controls continue to work properly,
safeguarding the information, and (iv) provide a point of contact for
any additional questions from users. Given the potential sensitivity
of security-related information, agencies should ensure that the IT
security official responsible for the security of the system and its
information reviews the language before it is posted.
- PIAs that comply with the statutory requirements
and previous versions of this Memorandum are acceptable for agencies’
FY 2005 budget submissions.
- Section 208(b)(1)(C).
- See 44 USC Chapter 35 and implementing regulations,
5 CFR Part 1320.8.
- Item 1 of the Supporting Statement reads: “Explain
the circumstances that make the collection of information necessary.
Identify any legal or administrative requirements that necessitate the
collection. Attach a copy of the appropriate section of each statute
and regulation mandating or authorizing the collection of information.”
- Item 2 of the Supporting Statement reads: “Indicate
how, by whom, and for what purpose the information is to be used. Except
for a new collection, indicate the actual use the agency has made of
the information received from the current collection.”
- Item 2 of the Supporting Statement reads: “Indicate
how, by whom, and for what purpose the information is to be used. Except
for a new collection, indicate the actual use the agency has made of
the information received from the current collection.”
- Item 10 of the Supporting Statement reads: “Describe
any assurance of confidentiality provided to respondents and the basis
for the assurance in statute, regulation, or agency policy.”
- Section 208(c)(1)(B)(v).
- Section 208(c)(1)(B)(vii).
- Section 208(c)(1)(B)(i-iv).
- When multiple Privacy Act Statements are incorporated
in a web privacy policy, a point-of-collection link must connect to
the Privacy Act Statement pertinent to the particular collection.
- Attachment C contains a general outline of COPPA’s
regulatory requirements. Agencies should consult the Federal Trade Commission’s
COPPA compliance telephone line at (202)-326-3140 or website for additional
information at: http://www.ftc.gov/privacy/privacyinitiatives/childrens.html.
- Consistent with current practice, the agency head
or designee may limit, as appropriate, notice and reporting of tracking
activities that the agency has properly approved and which are used
for authorized law enforcement, national security and/or homeland security
purposes.
- Section 208(c)(1)(B)(vi).
- Federal Information Security Management Act of 2002
(Title III of P.L. 107-347), OMB’s related security guidance and
policies (Appendix III to OMB Circular A-130, “Security of Federal
Automated Information Resources”) and standards and guidelines
development by the National Institute of Standards and Technologies.
- This standard was set to expire in April 2002, at
which time the most verifiable methods of obtaining consent would have
been required; however, in a Notice of Proposed Rulemaking, published
in the Federal Register on October 31, 2001, the FTC has proposed that
this standard be extended until April 2004. 66 Fed. Reg. 54963.
Return to this article at:
/omb/memoranda/m03-22.html