September 26, 2003

M-03-22

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Background

Attachments

Attachment A
Attachment B
Attachment C
Attachment D

Attachment A

E-Government Act Section 208 Implementation Guidance

I. General

1. Requirements. Agencies are required to:
1. conduct privacy impact assessments for electronic information systems and collections and, in general, make them publicly available (see Section II of this Guidance),
2. post privacy policies on agency websites used by the public (see Section III),
3. translate privacy policies into a standardized machine-readable format (see Section IV), and
4. report annually to OMB on compliance with section 208 of the E-Government Act of 2002 (see Section VII).

2. Application. This guidance applies to:
   1. all executive branch departments and agencies (“agencies”) and their contractors that use information technology or that operate websites for purposes of interacting with the public;
   2. relevant cross-agency initiatives, including those that further electronic government.

Modifications to Current Guidance. Where indicated, this Memorandum modifies the following three memoranda, which are replaced by this guidance (see summary of modifications at Attachment D):
1. Memorandum 99-05 (January 7, 1999), directing agencies to examine their procedures for ensuring the privacy of personal information in federal records and to designate a senior official to assume primary responsibility for privacy policy;
2. Memorandum 99-18 (June 2, 1999), concerning posting privacy policies on major entry points to government web sites as well as on any web page collecting substantial personal information from the public; and
3. Memorandum 00-13 (June 22, 2000), concerning (i) the use of tracking technologies such as persistent cookies and (ii) parental consent consistent with the Children’s Online Privacy Protection Act (“COPPA”).

II. Privacy Impact Assessment

A. Definitions.
1. Individual - means a citizen of the United States or an alien lawfully admitted for permanent residence.¹
2. Information in identifiable form- is information in an IT system or online collection: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).²
3. Information technology (IT) - means, as defined in the Clinger-Cohen Act³, any equipment, software or interconnected system or subsystem that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.
4. Major information system - embraces “large” and “sensitive” information systems and means, as defined in OMB Circular A-130 (Section 6.u.) and annually in OMB Circular A-11 (section 300-4 (2003)), a system or project that requires special management attention because of its: (i) importance to the agency mission, (ii) high development, operating and maintenance costs, (iii) high risk, (iv) high return, (v) significant role in the administration of an agency’s programs, finances, property or other resources.
5. National Security Systems - means, as defined in the Clinger-Cohen Act⁴, an information system operated by the federal government, the function, operation or use of which involves: (a) intelligence activities, (b) cryptologic activities related to national security, (c) command and control of military forces, (d) equipment that is an integral part of a weapon or weapons systems, or (e) systems critical to the direct fulfillment of military or intelligence missions, but does not include systems used for routine administrative and business applications, such as payroll, finance, logistics and personnel management.
6. Privacy Impact Assessment (PIA)- is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
7. Privacy policy in standardized machine-readable format- means a statement about site privacy practices written in a standard computer language (not English text) that can be read automatically by a web browser.

2. When to conduct a PIA:⁵
1. The E-Government Act requires agencies to conduct a PIA before:
   1. developing or procuring IT systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public, or
   2. initiating, consistent with the Paperwork Reduction Act, a new electronic collection of information in identifiable form for 10 or more persons (excluding agencies, instrumentalities or employees of the federal government).
2. In general, PIAs are required to be performed and updated as necessary where a system change creates new privacy risks. For example:
   1. Conversions - when converting paper-based records to electronic systems;
   2. Anonymous to Non-Anonymous - when functions applied to an existing information collection change anonymous information into information in identifiable form;
   3. Significant System Management Changes - when new uses of an existing IT system, including application of new technologies, significantly change how information in identifiable form is managed in the system:
      • For example, when an agency employs new relational database technologies or web-based processing to access multiple data stores; such additions could create a more open environment and avenues for exposure of data that previously did not exist.
   4. Significant Merging - when agencies adopt or alter business processes so that government databases holding information in identifiable form are merged, centralized, matched with other databases or otherwise significantly manipulated:
      • For example, when databases are merged to create one central source of information; such a link may aggregate data in ways that create privacy concerns not previously at issue.
   5. New Public Access - when user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system accessed by members of the public;
   6. Commercial Sources - when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources. (Merely querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement);
   7. New Interagency Uses - when agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form, such as the cross-cutting E-Government initiatives; in such cases, the lead agency should prepare the PIA;
      • For example the Department of Health and Human Services, the lead agency for the Administration’s Public Health Line of Business (LOB) Initiative, is spearheading work with several agencies to define requirements for integration of processes and accompanying information exchanges. HHS would thus prepare the PIA to ensure that all privacy issues are effectively managed throughout the development of this cross agency IT investment.
   8. Internal Flow or Collection - when alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of information in identifiable form:
      • For example, agencies that participate in E-Gov initiatives could see major changes in how they conduct business internally or collect information, as a result of new business processes or E-Gov requirements. In most cases the focus will be on integration of common processes and supporting data. Any business change that results in substantial new requirements for information in identifiable form could warrant examination of privacy issues.
   9. Alteration in Character of Data - when new information in identifiable form added to a collection raises the risks to personal privacy (for example, the addition of health or financial information)
3. No PIA is required where information relates to internal government operations, has been previously assessed under an evaluation similar to a PIA, or where privacy issues are unchanged, as in the following circumstances:
   1. for government-run websites, IT systems or collections of information to the extent that they do not collect or maintain information in identifiable form about members of the general public (this includes government personnel and government contractors and consultants);⁶
   2. for government-run public websites where the user is given the option of contacting the site operator for the limited purposes of providing feedback (e.g., questions or comments) or obtaining additional information;
   3. for national security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology (see section 202(i) of the E-Government Act);
   4. when all elements of a PIA are addressed in a matching agreement governed by the computer matching provisions of the Privacy Act (see 5 U.S.C. §§ 552a(8-10), (e)(12), (o), (p), (q), (r), (u)), which specifically provide privacy protection for matched information;
   5. when all elements of a PIA are addressed in an interagency agreement permitting the merging of data for strictly statistical purposes and where the resulting data are protected from improper disclosure and use under Title V of the E-Government Act of 2002;
   6. if agencies are developing IT systems or collecting non-identifiable information for a discrete purpose, not involving matching with or retrieval from other databases that generates information in identifiable form;
   7. for minor changes to a system or collection that do not create new privacy risks.
4. Update of PIAs: Agencies must update their PIAs to reflect changed information collection authorities, business processes or other factors affecting the collection and handling of information in identifiable form.

3. Conducting a PIA.
   1. Content.
      1. PIAs must analyze and describe:
         1. what information is to be collected (e.g., nature and source);
         2. why the information is being collected (e.g., to determine eligibility);
         3. intended use of the information (e.g., to verify existing data);
         4. with whom the information will be shared (e.g., another agency for a specified programmatic purpose);
         5. what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), and how individuals can grant consent;
         6. how the information will be secured (e.g., administrative and technological controls⁷); and
         7. whether a system of records is being created under the Privacy Act, 5 U.S.C. 552a.
      2. Analysis: PIAs must identify what choices the agency made regarding an IT system or collection of information as a result of performing the PIA.
   2. Agencies should commence a PIA when they begin to develop a new or significantly modified IT system or information collection:
      1. Specificity. The depth and content of the PIA should be appropriate for the nature of the information to be collected and the size and complexity of the IT system.
         1. IT development stage. PIAs conducted at this stage:
            1. should address privacy in the documentation related to systems development, including, as warranted and appropriate, statement of need, functional requirements analysis, alternatives analysis, feasibility analysis, benefits/cost analysis, and, especially, initial risk assessment;
            2. should address the impact the system will have on an individual’s privacy, specifically identifying and evaluating potential threats relating to each of the elements identified in section II.C.1.a.(i)-(vii) above, to the extent these elements are known at the initial stages of development;
            3. may need to be updated before deploying the system to consider elements not identified at the concept stage (e.g., retention or disposal of information), to reflect a new information collection, or to address choices made in designing the system or information collection as a result of the analysis.
         2. Major information systems. PIAs conducted for these systems should reflect more extensive analyses of:
            1. the consequences of collection and flow of information,
            2. the alternatives to collection and handling as designed,
            3. the appropriate measures to mitigate risks identified for each alternative and,
            4. the rationale for the final design choice or business process.
         3. Routine database systems. Agencies may use a standardized approach (e.g., checklist or template) for PIAs involving simple systems containing routine information and involving limited use and access.
      2. Information life cycle analysis/collaboration. Agencies must consider the information “life cycle” (i.e., collection, use, retention, processing, disclosure and destruction) in evaluating how information handling practices at each stage may affect individuals’ privacy. To be comprehensive and meaningful, privacy impact assessments require collaboration by program experts as well as experts in the areas of information technology, IT security, records management and privacy.
   3. Review and publication.
      1. a. Agencies must ensure that:
         1. the PIA document and, if prepared, summary are approved by a “reviewing official” (the agency CIO or other agency head designee, who is other than the official procuring the system or the official who conducts the PIA);
         2. for each covered IT system for which 2005 funding is requested, and consistent with previous guidance from OMB, the PIA is submitted to the Director of OMB no later than October 3, 2003 (submitted electronically to PIA@omb.eop.gov along with the IT investment’s unique identifier as described in OMB Circular A-11, instructions for the Exhibit 300⁸); and
         3. the PIA document and, if prepared, summary, are made publicly available (consistent with executive branch policy on the release of information about systems for which funding is proposed).
            1. Agencies may determine to not make the PIA document or summary publicly available to the extent that publication would raise security concerns, reveal classified (i.e., national security) information or sensitive information (e.g., potentially damaging to a national interest, law enforcement effort or competitive business interest) contained in an assessment⁹. Such information shall be protected and handled consistent with the Freedom of Information Act (FOIA).
            2. Agencies should not include information in identifiable form in their privacy impact assessments, as there is no need for the PIA to include such information. Thus, agencies may not seek to avoid making the PIA publicly available on these grounds.

4. Relationship to requirements under the Paperwork Reduction Act (PRA)¹⁰.
1. Joint Information Collection Request (ICR) and PIA. Agencies undertaking new electronic information collections may conduct and submit the PIA to OMB, and make it publicly available, as part of the SF83 Supporting Statement (the request to OMB to approve a new agency information collection).
2. If Agencies submit a Joint ICR and PIA:
   1. All elements of the PIA must be addressed and identifiable within the structure of the Supporting Statement to the ICR, including:
      1. a description of the information to be collected in the response to Item 1 of the Supporting Statement¹¹;
      2. a description of how the information will be shared and for what purpose in Item 2 of the Supporting Statement¹²;
      3. a statement detailing the impact the proposed collection will have on privacy in Item 2 of the Supporting Statement¹³;
      4. a discussion in item 10 of the Supporting Statement of:
         1. whether individuals are informed that providing the information is mandatory or voluntary
         2. opportunities to consent, if any, to sharing and submission of information;
         3. how the information will be secured; and
         4. whether a system of records is being created under the Privacy Act)¹⁴.
   2. For additional information on the requirements of an ICR, please consult your agency’s organization responsible for PRA compliance.
3. Agencies need not conduct a new PIA for simple renewal requests for information collections under the PRA. As determined by reference to section II.B.2. above, agencies must separately consider the need for a PIA when amending an ICR to collect information that is significantly different in character from the original collection.

5. Relationship to requirements under the Privacy Act of 1974, 5 U.S. C. 552a.
   1. Agencies may choose to conduct a PIA when developing the System of Records (SOR) notice required by subsection (e)(4) of the Privacy Act, in that the PIA and SOR overlap in content (e.g., the categories of records in the system, the uses of the records, the policies and practices for handling, etc.).
   2. Agencies, in addition, may make the PIA publicly available in the Federal Register along with the Privacy Act SOR notice.
   3. Agencies must separately consider the need for a PIA when issuing a change to a SOR notice (e.g., a change in the type or category of record added to the system may warrant a PIA).

III. Privacy Policies on Agency Websites

1. Privacy Policy Clarification. To promote clarity to the public, agencies are required to refer to their general web site notices explaining agency information handling practices as the “Privacy Policy.”

2. Effective Date. Agencies are expected to implement the following changes to their websites by December 15, 2003.

3. Exclusions: For purposes of web privacy policies, this guidance does not apply to:
   1. information other than “government information” as defined in OMB Circular A-130;
   2. agency intranet web sites that are accessible only by authorized government users (employees, contractors, consultants, fellows, grantees);
   3. national security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology (see section 202(i) of the E-government Act).

4. Content of Privacy Policies.
   1. Agency Privacy Policies must comply with guidance issued in OMB Memorandum 99-18 and must now also include the following two new content areas:
      1. Consent to collection and sharing¹⁵. Agencies must now ensure that privacy policies:
         1. inform visitors whenever providing requested information is voluntary;
         2. inform visitors how to grant consent for use of voluntarily-provided information; and
         3. inform visitors how to grant consent to use mandatorily-provided information for other than statutorily-mandated uses or authorized routine uses under the Privacy Act.
      2. Rights under the Privacy Act or other privacy laws¹⁶. Agencies must now also notify web-site visitors of their rights under the Privacy Act or other privacy-protecting laws that may primarily apply to specific agencies (such as the Health Insurance Portability and Accountability Act of 1996, the IRS Restructuring and Reform Act of 1998, or the Family Education Rights and Privacy Act):
         1. in the body of the web privacy policy;
         2. via link to the applicable agency regulation (e.g., Privacy Act regulation and pertinent system notice); or
         3. via link to other official summary of statutory rights (such as the summary of Privacy Act rights in the FOIA/Privacy Act Reference Materials posted by the Federal Consumer Information Center at www.Firstgov.gov).
   2. Agency Privacy Policies must continue to address the following, modified, requirements:
   1. Nature, purpose, use and sharing of information collected . Agencies should follow existing policies (issued in OMB Memorandum 99-18) concerning notice of the nature, purpose, use and sharing of information collected via the Internet, as modified below:
      1. Privacy Act information. When agencies collect information subject to the Privacy Act, agencies are directed to explain what portion of the information is maintained and retrieved by name or personal identifier in a Privacy Act system of records and provide a Privacy Act Statement either:
         1. at the point of collection, or
         2. via link to the agency’s general Privacy Policy¹⁸.
      2. “Privacy Act Statements.” Privacy Act Statements must notify users of the authority for and purpose and use of the collection of information subject to the Privacy Act, whether providing the information is mandatory or voluntary, and the effects of not providing all or any part of the requested information.
      3. Automatically Collected Information (site management data). Agency Privacy Policies must specify what information the agency collects automatically (i.e., user’s IP address, location, and time of visit) and identify the use for which it is collected (i.e., site management or security purposes).
      4. Interaction with children: Agencies that provide content to children under 13 and that collect personally identifiable information from these visitors should incorporate the requirements of the Children’s Online Privacy Protection Act (“COPPA”) into their Privacy Policies (see Attachment C)¹⁹.
      5. Tracking and customization activities.Agencies are directed to adhere to the following modifications to OMB Memorandum 00-13 and the OMB follow-up guidance letter dated September 5, 2000:
         1. Tracking technology prohibitions:
            1. agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors’ activity on the Internet except as provided in subsection (b) below;
            2. agency heads may approve, or may authorize the heads of sub-agencies or senior official(s) reporting directly to the agency head to approve, the use of persistent tracking technology for a compelling need. When used, agency’s must post clear notice in the agency’s privacy policy of:
               • the nature of the information collected;
               • the purpose and use for the information;
               • whether and to whom the information will be disclosed; and
               • the privacy safeguards applied to the information collected.
            3. agencies must report the use of persistent tracking technologies as authorized for use by subsection b. above (see section VII)²⁰.
         2. The following technologies are not prohibited:
            1. Technology that is used to facilitate a visitor’s activity within a single session (e.g., a “session cookie”) and does not persist over time is not subject to the prohibition on the use of tracking technology.
            2. Customization technology (to customize a website at the visitor’s request) if approved by the agency head or designee for use (see v.1.b above) and where the following is posted in the Agency’s Privacy Policy:
               • the purpose of the tracking (i.e., customization of the site);
               • that accepting the customizing feature is voluntary;
               • that declining the feature still permits the individual to use the site; and
               • the privacy safeguards in place for handling the information collected.
            3. Agency use of password access to information that does not involve “persistent cookies” or similar technology.
      6. Law enforcement and homeland security sharing: Consistent with current practice, Internet privacy policies may reflect that collected information may be shared and protected as necessary for authorized law enforcement, homeland security and national security activities.
   2. Security of the information²¹. Agencies should continue to comply with existing requirements for computer security in administering their websites²² and post the following information in their Privacy Policy:
      1. in clear language, information about management, operational and technical controls ensuring the security and confidentiality of personally identifiable records (e.g., access controls, data storage procedures, periodic testing of safeguards, etc.), and
      2. in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems. (The statement should be at a level to inform the public that their information is being protected while not compromising security.)

5. Placement of notices. Agencies should continue to follow the policy identified in OMB Memorandum 99-18 regarding the posting of privacy policies on their websites. Specifically, agencies must post (or link to) privacy policies at:
   1. their principal web site;
   2. any known, major entry points to their sites;
   3. any web page that collects substantial information in identifiable form.
6. Clarity of notices. Consistent with OMB Memorandum 99-18, privacy policies must be:
   1. clearly labeled and easily accessed;
   2. written in plain language; and
   3. made clear and easy to understand, whether by integrating all information and statements into a single posting, by layering a short “highlights” notice linked to full explanation, or by other means the agency determines is effective.

IV. Privacy Policies in Machine-Readable Formats

1. Actions.
1. Agencies must adopt machine readable technology that alerts users automatically about whether site privacy practices match their personal privacy preferences. Such technology enables users to make an informed choice about whether to conduct business with that site.
2. OMB encourages agencies to adopt other privacy protective tools that become available as the technology advances.
2. Reporting Requirement. Agencies must develop a timetable for translating their privacy policies into a standardized machine-readable format. The timetable must include achievable milestones that show the agency’s progress toward implementation over the next year. Agencies must include this timetable in their reports to OMB (see Section VII).

V. Privacy Policies Incorporated by this Guidance

In addition to the particular actions discussed above, this guidance reiterates general directives from previous OMB Memoranda regarding the privacy of personal information in federal records and collected on federal web sites. Specifically, existing policies continue to require that agencies:

1. assure that their uses of new information technologies sustain, and do not erode, the protections provided in all statutes relating to agency use, collection, and disclosure of personal information;
2. assure that personal information contained in Privacy Act systems of records be handled in full compliance with fair information practices as set out in the Privacy Act of 1974;
3. evaluate legislative proposals involving collection, use and disclosure of personal information by the federal government for consistency with the Privacy Act of 1974;
4. evaluate legislative proposals involving the collection, use and disclosure of personal information by any entity, public or private, for consistency with the Privacy Principles;
5. ensure full adherence with stated privacy policies.

VI. Agency Privacy Activities/Designation of Responsible Official
Because of the capability of information technology to capture and disseminate information in an instant, all federal employees and contractors must remain mindful of privacy and their obligation to protect information in identifiable form. In addition, implementing the privacy provisions of the E-Government Act requires the cooperation and coordination of privacy, security, FOIA/Privacy Act and project officers located in disparate organizations within agencies. Clear leadership and authority are essential.

Accordingly, this guidance builds on policy introduced in Memorandum 99-05 in the following ways:

1. Agencies must:
   1. inform and educate employees and contractors of their responsibility for protecting information in identifiable form;
   2. identify those individuals in the agency (e.g., information technology personnel, Privacy Act Officers) that have day-to-day responsibility for implementing section 208 of the E-Government Act, the Privacy Act, or other privacy laws and policies.
   3. designate an appropriate senior official or officials (e.g., CIO, Assistant Secretary) to serve as the agency’s principal contact(s) for information technology/web matters and for privacy policies. The designated official(s) shall coordinate implementation of OMB web and privacy policy and guidance.
   4. designate an appropriate official (or officials, as appropriate) to serve as the “reviewing official(s)” for agency PIAs.
      
      
2. OMB leads a committee of key officials involved in privacy that reviewed and helped shape this guidance and that will review and help shape any follow-on privacy and web-privacy-related guidance. In addition, as part of overseeing agencies’ implementation of section 208, OMB will rely on the CIO Council to collect information on agencies’ initial experience in preparing PIAs, to share experiences, ideas, and promising practices as well as identify any needed revisions to OMB’s guidance on PIAs.

VII. Reporting Requirements
Agencies are required to submit an annual report on compliance with this guidance to OMB as part of their annual E-Government Act status report. The first reports are due to OMB by December 15, 2003. All agencies that use information technology systems and conduct electronic information collection activities must complete a report on compliance with this guidance, whether or not they submit budgets to OMB.

Reports must address the following four elements:

1. Information technology systems or information collections for which PIAs were conducted. Include the mechanism by which the PIA was made publicly available (website, Federal Register, other), whether the PIA was made publicly available in full, summary form or not at all (if in summary form or not at all, explain), and, if made available in conjunction with an ICR or SOR, the publication date.
2. Persistent tracking technology uses. If persistent tracking technology is authorized, include the need that compels use of the technology, the safeguards instituted to protect the information collected, the agency official approving use of the tracking technology, and the actual privacy policy notification of such use.
3. Agency achievement of goals for machine readability: Include goals for and progress toward achieving compatibility of privacy policies with machine-readable privacy protection technology.
4. Contact information. Include the individual(s) (name and title) appointed by the head of the Executive Department or agency to serve as the agency’s principal contact(s) for information technology/web matters and the individual (name and title) primarily responsible for privacy policies.

Attachment B
E-Government Act of 2002
Pub. L. No. 107-347, Dec. 17, 2002

SEC. 208. PRIVACY PROVISIONS.

A. PURPOSE. — The purpose of this section is to ensure sufficient protections for the privacy of personal information as agencies implement citizen-centered electronic Government.

B. PRIVACY IMPACT ASSESSMENTS.—

1. RESPONSIBILITIES OF AGENCIES.—
   1. IN GENERAL.—An agency shall take actions described under subparagraph (b) before—
      1. developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form; or
      2. initiating a new collection of information that—
         1. will be collected, maintained, or disseminated using information technology; and
         2. includes any information in an identifiable form permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, 10 or more persons, other than agencies, instrumentalities, or employees of the Federal Government.
   2. AGENCY ACTIVITIES. —To the extent required under subparagraph (a), each agency shall—
      1. conduct a privacy impact assessment;
      2. ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and
      3. if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means.
   3. SENSITIVE INFORMATION. —Subparagraph (b)(iii) may be modified or waived for security reasons, or to protect classified, sensitive, or private information contained in an assessment.
   4. COPY TO DIRECTOR. —Agencies shall provide the Director with a copy of the privacy impact assessment for each system for which funding is requested.
2. CONTENTS OF A PRIVACY IMPACT ASSESSMENT. —
   1. IN GENERAL. —The Director shall issue guidance to agencies specifying the required contents of a privacy impact assessment.
   2. GUIDANCE. — The guidance shall—
      1. ensure that a privacy impact assessment is commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information; and
      2. require that a privacy impact assessment address—
      1. what information is to be collected;
      2. why the information is being collected;
      3. the intended use of the agency of the information;
      4. with whom the information will be shared;
      5. what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared;
      6. how the information will be secured; and
      7. whether a system of records is being created under section 552a of title 5, United States Code, (commonly referred to as the `Privacy Act').
3. RESPONSIBILITIES OF THE DIRECTOR.—The Director shall—
   1. develop policies and guidelines for agencies on the conduct of privacy impact assessments;
   2. oversee the implementation of the privacy impact assessment process throughout the Government; and
   3. require agencies to conduct privacy impact assessments of existing information systems or ongoing collections of information that is in an identifiable form as the Director determines appropriate.

C. PRIVACY PROTECTIONS ON AGENCY WEBSITES. —

1. PRIVACY POLICIES ON WEBSITES. —
   1. GUIDELINES FOR NOTICES. —The Director shall develop guidance for privacy notices on agency websites used by the public.
   2. CONTENTS. —The guidance shall require that a privacy notice address, consistent with section 552a of title 5, United States Code—
      1. what information is to be collected;
      2. why the information is being collected;
      3. the intended use of the agency of the information;
      4. with whom the information will be shared;
      5. what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared;
      6. how the information will be secured; and
      7. the rights of the individual under section 552a of title 5, United States Code (commonly referred to as the `Privacy Act'), and other laws relevant to the protection of the privacy of an individual.
2. PRIVACY POLICIES IN MACHINE-READABLE FORMATS. — The Director shall issue guidance requiring agencies to translate privacy policies into a standardized machine-readable format.

D. DEFINITION. —In this section, the term `identifiable form' means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

Attachment C

This attachment is a summary by the Federal Trade Commission of its guidance regarding federal agency compliance with the Children’s Online Privacy Protection Act (COPPA).

The hallmarks of COPPA for purposes of federal online activity are (i) notice of information collection practices (ii) verifiable parental consent and (iii) access, as generally outlined below:

• Notice of Information Collection Practices
  
  Agencies whose Internet sites offer a separate children’s area and collect personal information from them must post a clear and prominent link to its Internet privacy policy on the home page of the children’s area and at each area where it collects personal information from children. The privacy policy should provide the name and contact information of the agency representative required to respond to parental inquiries about the site. Importantly, the privacy policy should inform parents about the kinds of information collected from children, how the information is collected (directly, or through cookies), how the information is used, and procedures for reviewing/deleting the information obtained from children.
  
  In addition, the privacy policy should inform parents that only the minimum information necessary for participation in the activity is collected from the child.In addition to providing notice by posting a privacy policy, notice of an Internet site’s information collection practices must be sent directly to a parent when a site is requesting parental consent to collection personal information from a child. This direct notice should tell parents that the site would like to collect personal information from their child, that their consent is required for this collection, and how consent can be provided. The notice should also contain the information set forth in the site’s privacy policy, or provide an explanatory link to the privacy policy.
  
  
• Verifiable Parental Consent
  
  With limited exceptions, agencies must obtain parental consent before collecting any personal information from children under the age of 13. If agencies are using the personal information for their internal use only, they may obtain parental consent through an e-mail message from the parent, as long as they take additional steps to increase the likelihood that the parent has, in fact, provided the consent. For example, agencies might seek confirmation from a parent in a delayed confirmatory e-mail, or confirm the parent’s consent by letter or phone call²³.
  
  However, if agencies disclose the personal information to third parties or the public (through chat rooms or message boards), only the most reliable methods of obtaining consent must be used. These methods include: (i) obtaining a signed form from the parent via postal mail or facsimile, (ii) accepting and verifying a credit card number in connection with a transaction, (iii) taking calls from parents through a toll-free telephone number staffed by trained personnel, or (iv) email accompanied by digital signature.
  
  Although COPPA anticipates that private sector Internet operators may share collected information with third parties (for marketing or other commercial purposes) and with the public (through chat rooms or message boards), as a general principle, federal agencies collect information from children only for purposes of the immediate online activity or other, disclosed, internal agency use. (Internal agency use of collected information would include release to others who use it solely to provide support for the internal operations of the site or service, including technical support and order fulfillment.) By analogy to COPPA and consistent with the Privacy Act, agencies may not use information collected from children in any manner not initially disclosed and for which explicit parental consent has not been obtained. Agencies’ Internet privacy policies should reflect these disclosure and consent principles.
  
  COPPA’s implementing regulations include several exceptions to the requirement to obtain advance parental consent where the Internet operator (here, the agency) collects a child’s email address for the following purposes: (i) to provide notice and seek consent, (ii) to respond to a one-time request from a child before deleting it, (iii) to respond more than once to a specific request, e.g., for a subscription to a newsletter, as long as the parent is notified of, and has the opportunity to terminate a continuing series of communications, (iv) to protect the safety of a child, so long as the parent is notified and given the opportunity to prevent further use of the information, and (v) to protect the security or liability of the site or to respond to law enforcement if necessary.
  
  Agencies should send a new notice and request for consent to parents any time the agency makes material changes in the collection or use of information to which the parent had previously agreed. Agencies should also make clear to parents that they may revoke their consent, refuse to allow further use or collection of the child’s personal information and direct the agency to delete the information at any time.
  
  
• Access
  
  At a parent’s request, agencies must disclose the general kinds of personal information they collect online from children as well as the specific information collected from a child. Agencies must use reasonable procedures to ensure they are dealing with the child’s parent before they provide access to the child’s specific information, e.g., obtaining signed hard copy of identification, accepting and verifying a credit card number, taking calls from parents on a toll-free line staffed by trained personnel, email accompanied by digital signature, or email accompanied by a PIN or password obtained through one of the verification methods above.
  
  In adapting the provisions of COPPA to their Internet operations, agencies should consult the FTC’s web site at http://www.ftc.gov/privacy/privacyinitiatives/childrens.html or call the COPPA compliance telephone line at (202) 326-3140.

Attachment D

Summary of Modifications to Prior Guidance

This Memorandum modifies prior guidance in the following ways:

* Internet Privacy Policies (Memorandum 99-18):

• must identify when tracking technology is used to personalize the interaction, and explain the purpose of the feature and the visitor’s option to decline it.
  
  
• must clearly explain when information is maintained and retrieved by personal identifier in a Privacy Act system of records; must provide (or link to) a Privacy Act statement (which may be subsumed within agency’s Internet privacy policy) where Privacy Act information is solicited.
  
  
• should clearly explain an individual’s rights under the Privacy Act if solicited information is to be maintained in a Privacy Act system of records; information about rights under the Privacy Act may be provided in the body of the web privacy policy or via link to the agency’s published systems notice and Privacy Act regulation or other summary of rights under the Privacy Act (notice and explanation of rights under other privacy laws should be handled in the same manner).
  
  
• when a Privacy Act Statement is not required, must link to the agency’s Internet privacy policy explaining the purpose of the collection and use of the information (point-of-collection notice at agency option).
  
  
• must clearly explain where the user may consent to the collection or sharing of information and must notify users of any available mechanism to grant consent.
  
  
• agencies must undertake to make their Internet privacy policies “readable” by privacy protection technology and report to OMB their progress in that effort.
  
  
• must adhere to the regulatory requirements of the Children’s Online Privacy Protection Act (COPPA) when collecting information electronically from children under age 13.

*Tracking Technology (Memorandum 00-13):

• prohibition against tracking visitors’ Internet use extended to include tracking by any means (previous guidance addressed only “persistent cookies”).? authority to waive the prohibition on tracking in appropriate circumstances may be retained by the head of an agency, or may be delegated to (i) senior official(s) reporting directly to the agency head, or to (ii) the heads of sub-agencies.? agencies must report the use of tracking technology to OMB, identifying the circumstances, safeguards and approving official.
  
  
• agencies using customizing technology must explain the use, voluntary nature of and the safeguards applicable to the customizing device in the Internet privacy policy.
  
  
• agency heads or their designees may approve the use of persistent tracking technology to customize Internet interactions with the government.

* Privacy responsibilities (Memorandum 99-05)

• agencies to identify individuals with day-to-day responsibility for implementing the privacy provisions of the E-Government Act, the Privacy Act and any other applicable statutory privacy regime.
  
  
• agencies to report to OMB the identities of senior official(s) primarily responsible for implementing and coordinating information technology/web policies and privacy policies.

1. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc.
2. Information in identifiable form is defined in section 208(d) of the Act as “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” Information “permitting the physical or online contacting of a specific individual” (see section 208(b)(1)(A)(ii)(II)) is the same as “information in identifiable form.”
3. Clinger-Cohen Act of 1996, 40 U.S.C. 11101(6).
4. Clinger-Cohen Act of 1996, 40 U.S.C. 11103.
5. In addition to these statutorily prescribed activities, the E-Government Act authorizes the Director of OMB to require agencies to conduct PIAs of existing electronic information systems or ongoing collections of information in identifiable form as the Director determines appropriate. (see section 208(b)(3)(C)).
6. Information in identifiable form about government personnel generally is protected by the Privacy Act of 1974. Nevertheless, OMB encourages agencies to conduct PIAs for these systems as appropriate.
7. Consistent with agency requirements under the Federal Information Security Management Act, agencies should: (i) affirm that the agency is following IT security requirements and procedures required by federal law and policy to ensure that information is appropriately secured, (ii) acknowledge that the agency has conducted a risk assessment, identified appropriate security controls to protect against that risk, and implemented those controls, (iii) describe the monitoring/testing/evaluating on a regular basis to ensure that controls continue to work properly, safeguarding the information, and (iv) provide a point of contact for any additional questions from users. Given the potential sensitivity of security-related information, agencies should ensure that the IT security official responsible for the security of the system and its information reviews the language before it is posted.
8. PIAs that comply with the statutory requirements and previous versions of this Memorandum are acceptable for agencies’ FY 2005 budget submissions.
9. Section 208(b)(1)(C).
10. See 44 USC Chapter 35 and implementing regulations, 5 CFR Part 1320.8.
11. Item 1 of the Supporting Statement reads: “Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.”
12. Item 2 of the Supporting Statement reads: “Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.”
13. Item 2 of the Supporting Statement reads: “Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.”
14. Item 10 of the Supporting Statement reads: “Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.”
15. Section 208(c)(1)(B)(v).
16. Section 208(c)(1)(B)(vii).
17. Section 208(c)(1)(B)(i-iv).
18. When multiple Privacy Act Statements are incorporated in a web privacy policy, a point-of-collection link must connect to the Privacy Act Statement pertinent to the particular collection.
19. Attachment C contains a general outline of COPPA’s regulatory requirements. Agencies should consult the Federal Trade Commission’s COPPA compliance telephone line at (202)-326-3140 or website for additional information at: http://www.ftc.gov/privacy/privacyinitiatives/childrens.html.
20. Consistent with current practice, the agency head or designee may limit, as appropriate, notice and reporting of tracking activities that the agency has properly approved and which are used for authorized law enforcement, national security and/or homeland security purposes.
21. Section 208(c)(1)(B)(vi).
22. Federal Information Security Management Act of 2002 (Title III of P.L. 107-347), OMB’s related security guidance and policies (Appendix III to OMB Circular A-130, “Security of Federal Automated Information Resources”) and standards and guidelines development by the National Institute of Standards and Technologies.
23. This standard was set to expire in April 2002, at which time the most verifiable methods of obtaining consent would have been required; however, in a Notice of Proposed Rulemaking, published in the Federal Register on October 31, 2001, the FTC has proposed that this standard be extended until April 2004. 66 Fed. Reg. 54963.