In 2006, the Office of Management and Budget published two memoranda back to back dealing specifically with protecting certain types of information maintained by the Federal Government. M-06-15 addresses safeguarding personally identifiable information. M-06-16 deals with the protection of sensitive agency information. Both memoranda reiterate the security requirements of previous regulations, and expand upon them to make them more effective.

OMB M-06-15: Safeguarding Personally Identifiable Information

M-06-15 served as a reminder to government agencies of their responsibilities towards protecting personally identifiable information.

Under the Privacy Act of 1974 agencies must:

• Establish rules of conduct for individuals working accessing, using or maintaining personally identifiable information. Employees should receive adequate training in their privacy and security responsibilities and be made aware of the consequences of noncompliance with the Privacy Act.
• Implement adequate administrative, technical and physical safeguards to protect personally identifiable information.

M-06-15 asked all Senior Agency Official for Privacy appointed pursuant to M-05-08 to review agency policies to ensure compliance with the Privacy Act. The review was to be included in a report reviewing implementation of an compliance with the Federal Information Security Management Act (FISMA).

OMB M-06-16: Protection of Sensitive Agency Information

M-06-16 described important security controls agencies should use to protect sensitive agency information:

1.  All mobile devices that store or access agency data should be encrypted

2.  Remote access to agency data must require a two factor authentication process which includes a device separate from the device gaining access

3.  Agencies should implement time-out functions on remote access mobile devices that log out a user after 30 minutes of inactivity

4.  Agencies must maintain adequate logs of all computer readable data extracts from information systems containing sensitive data. Data that is no longer in use should be erased after 90 days.

M-06-16 also included the National Institute of Standards and Technology (NIST) checklist for remote access:

1.  Confirm identification of personally identifiable information protection needs– Any PII that may be at increased risk from remote access must be identified and a risk assessment performed.

2.  Verify adequacy of organizational policy– Existing policy should be reviewed to ensure that the procedures and security controls adequately protect PII. Policy should be improved upon if necessary.

3.  Implement protections for personally identifiable information being transported and/or stored offsite– This step involves ensuring the proper security controls including encryption are applied to sensitive agency data before it is transported or store away from the main agency network.

4.  Implement protections for remote access to personally identifiable– Users should access agency data through a Virtual Private Network (VPN) to ensure proper authentication and security. Security controls should be implemented to limit the ability to access or download PII remotely only to authorized individuals. All sensitive data stored on remote access devices should be encrypted, if policy allows remote storage. If policy does not allow storage of PII on the local hard drive of a remote device, proper security controls should be implemented to allow remote use without local storage of the data

Summary

The protection of agency data including sensitive information and personally identifiable information remains a significant concern for government agencies and the Office of Management and Budget. While memoranda 06-15 and 06-16 include no new recommendations or policies, such memoranda enforce the idea that attention to and review of security controls is an ongoing process that must occur regularly to ensure proper protection of agency information.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum 06-15 (II.A.c.2.e)
• OMB Memorandum 06-16 (II.A.c.2.f)

The Federal Agency Data Mining Reporting Act of 2007

After the 9/11 terrorist attacks a commission report was created to evaluate security risks and other potential threats and create recommendations for increasing security. The Implementing Recommendations of the 9/11 Commission Act was passed in 2007 in order to turn many of the recommendations into law. Section 804 of the act deals with the use of Data Mining by the U.S. Government and is called the Federal Agency Data Mining Reporting Act.

Data Mining uses pattern based queries to search through electronic databases in order to uncover possible terrorist or criminal activity. The searches do not specifically target individuals or groups to monitor their activities, rather the program searches widely through disparate records of data to uncover any patterns of transactions, activities, communications, and other elements which are deemed suspicious. Since Data Mining is a form of government surveillance, the Federal Agency Data Mining Reporting Act set up certain reporting requirements to monitor its use and prevent potential abuse by government agencies.

The head of every department or agency that practices data mining is required to submit a report of their activities to Congress and make the information available to the public. Reports must be published at least annually to comply with the act.

Each report must contain:

• A description of the data mining activities, the goals of the program and the target dates of use
• A description of the technology used as well as the basis used to determine whether a pattern or anomaly indicates illegal activity
• A description of the data sources from which information is collected
• An assessment of the likely efficacy of the program
• An assessment of the impact of the program, especially with regard to privacy and civil liberties. It must also detail the steps taken to prevent potential violations
• A list an analysis of the applicable laws and regulations that affect data collection for the data mining activities
• A discussion of the policies and procedures in place to protect privacy and due process rights, as well as those used to ensure information is complete, accurate, timely and secure.

Any information that cannot released to the public (ie: classified information, sensitive law enforcement information, business information, trade secrets) must be published in an annex to the report which is then submitted to Congress.

The Federal Advisory Committee Act

The Federal Advisory Committee Act created regulations for the creation, use and monitoring of such committees. Federal Advisory Committees are used to gain recommendations and advice from the private sector, when they may have more knowledge of a particular issue. Over 1,000 committees are currently in existence. The FACA makes the following requirements regarding privacy:

• An advisory committee meeting must be open to the public unless the President determines it to be a matter of national security
• While an advisory committee exists, all reports, transcripts, working papers, studies, agendas and other relevant documents must be available for public inspection and copying in the advisory committee or agency office.
• All advisory committee meetings must be recorded in the official minutes including the attendees, a complete summary of the issues discussed, and copies of all reports received. The minutes must be authenticated by the chairman of the Advisory Committee
• If a meeting or portion of a meeting of an Advisory Committee is determined to be closed to the public by the President or head of the agency to the Advisory Committee, the determination must be made in writing including the reasons behind the determination as compliant with section 552(b) of Title 5, the United States Code
• No meeting of an advisory committee may be conducted in secret. Each Committee must have a designated Government official to attend all meetings and who has the authority to adjourn a meeting in the interest of the general public.
• All meetings and agendas of an Advisory Committee must be approved by the designated Government official.

Government in the Sunshine Act

The Government in the Sunshine Act was passed in 1976 and requires that “every portion of every meeting of an agency shall be open to public observation.” The Act includes several exceptions to the rule. Disclosure of a meeting or part a meeting is not required if the information:

• is related to matters that are authorized by executive order to be kept secret in the interest of national security and foreign policy and is properly classified pursuant to an executive order
• relates only to the inner workings of an agency
• discloses information exempted from disclosure by other regulations
• discloses trade secrets, commercial information, financial information considered to be confidential
• discloses information which accuses a person of a crime
• discloses personal information that would be considered an violation of privacy
• discloses records used by law enforcement officials if the information will: interfere with enforcement proceedings; deprive an individual of their right to a fair trial; release personal information; disclose investigative techniques; endanger the life of law enforcement personnel
• relates to the examination, operation or condition reports used by an agency to regulate and supervise financial institutions
• discloses information whose premature disclosure could cause endanger the stability of financial institutions or significant financial speculation of currencies, securities or commodities
• discloses information whose premature disclosure could create larger problems in the implementation of a proposed action
• concerns the issuance of a subpoena or participation in a court proceeding.

The act also requires notice of all meetings to be given to the public at least one week prior to meeting time including, time, date, location, subject matter, whether it is open or closed to the public, and the contact information for the agency official that handles requests for information. Any changes must be announced to the public as soon as possible. All public announcements must also be submitted to the Federal Register for publication.

Enforcement of the Sunshine Act is accomplished through annual reports to Congress regarding the number of meetings open and closed to the public, and the reasons for the closed meeting.

Summary:

Laws such as the three mentioned above are not broad privacy regulations, but are still important parts of privacy regulation in the U.S. Government because they apply privacy principles to narrow, specific practices within the Government. Open Government promotes privacy by allowing citizens to access and monitor government activities including how their information is being used.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Federal Open Meeting Laws including FACA and the Sunshine Act (I.C.g.i-ii)
• The Federal Agency Data Mining Report Act of 2007

The E-Government Acts of 2002 involved a large number of new regulations to implement and control the use of electronic technologies by the U.S. Government. Title III of this Act, called the Federal Information Security Management Act required all Government agencies to develop extensive information security programs.

What is the Importance of FISMA?

The Federal Information Security and Management Act deals with Information Security, which is one of the Fair Information Practice Principles. Proper protection of data does not only include the acceptable use and disclosure of the data by the agency, but also the measures taken to prevent abuse of information by other parties and to protect the status and availability of the data.

FISMA incorporates the three main components of information security:

• Confidentiality– involves implementing the necessary restrictions and authorizations to limit access to sensitive data.
• Integrity– involves ensuring information is authentic and preventing improper modification or destruction
• Availability– involves the ability to readily access information and the timeliness of the information

What Does a FISMA Compliant Information Security Program Entail?

• Periodic risk assessments must be conducted evaluating any potential harm caused by unauthorized access, use, disclosure or destruction of the data including an assessment of the magnitude of harm
• Risk assessments are used to develop policies which are cost effective and reduce any security threats. These policies must also protect data at all stages of the life cycle
• The efficacy of policies, procedures and security controls must be tested at least annually, with higher risk systems requiring more frequent evaluations.
• An agency must implement a way to detect, report and respond to security violations
• An agency must develop a continuity of operations plan to return function as quickly as possible in the event of a security incident of disruption.

What is Security Certification and Accreditation?

Security Certification and Accreditation is the official process taken to authorize the operation of an information system by an agency of the U.S. Government. By accrediting an information system, the agency accepts full responsibility for the system and will be held accountable for any negative impacts or problems that may arise.

The four phases of the Security Certification and Accreditation process:

1. Initiation Phase– ensures all parties are on the same page regarding the information system, its contents and controls before the system is evaluated. In this phase, the information security system is prepared and the security plan is analyzed and updated for review.
2. Security Certification Phase– evaluates security controls to make sure they are functioning correctly, that the system is operating as it should and that the information is adequately protected. In this phase, all security controls are tested documentation is created with the results.
3. Security Accreditation Phase– the information gathered during the previous phase is used to determine if the operation of the information system presents an acceptable security risk. In this stage, the authorizing official determines whether or not an information system may become operational, and proper documentation is filed if the system is ready to become accredited.
4. Continuous Monitoring Phase – ensures ongoing enforcement by requiring ongoing configuration and management control, monitoring of security controls and the filing of status reports and documents.

Reaccreditation occurs periodically and after significant changes in the system or environment. The Security Certification and Accreditation process is used to evaluate an individual information system and its security. It is similar to but distinct from Privacy Impact Assessments which are used to evaluate privacy protections with regard to changes in a records system. PIA and C&A evaluations for particular information systems may overlap in coverage. However, PIA are also used to evaluate privacy concerns involved with using matching programs, sharing information between agencies or when transferring data to electronic form. C&A evaluations are less frequent and more extensive and evaluate individual security systems and their related policies.

Enforcement of FISMA

Monitoring of FISMA compliance is built into the regulation through mandatory reports due to the Director of the Office of Management and Budget, and several House of Representative and Senate Committees. The report must include:

• The information resources used by the agency
• The information technologies used by the agency
• The program performance
• Financial management information including annual budgets, and accounting to determine cost effectiveness
• Record of any significant vulnerabilities in the policies, procedures or security systems.

In 2008, OMB Memorandum 08-09, added new reporting guidelines that required each agency to report:

• The number of each type of privacy review used by the agency during the previous fiscal year
• Any new policies, guidance or advice provided by the agency official in charge of privacy in the past fiscal year
• The number of written privacy complaints received in the past fiscal year
• The number of privacy issues referred to another agency with the relevant jurisdiction in the past fiscal year

Each agency must also create a performance plan in consultation with the Director of the Office of Management and Budget regarding the time period and resources needed including budget, staffing and training to implement or continue to implement, secure FISMA compliant information security systems.

FISMA also requires annual independent evaluations of the information security programs and procedures. The evaluation is conducted by the Inspector General of the agency, if one is appointed. It one is not appointed, the head of the agency must hire an external party to evaluate the system. A report the evaluation must be submitted to the Director of the Office of Management and Budget who then summarizes the findings in the Director’s Report to Congress.

Summary:

The Federal Information Security Management Act protects privacy by requiring extensive evaluations and monitoring of Government information systems to ensure data is adequately protected and operating at an acceptable level of risk.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Federal Information Security Management Act (I.C.f.i-iii.)
• The E-Government Act of 2002 including Privacy Impact Assessments (I.C.c.i.-ii.)

Who Must Comply With the Rule?

• Any research conducted or supported by a Federal department or agency
• Any research not conducted or supported by the government is still subject to the institutional review board and documentation of informed consent requirements of the policy
• Any research that department or agency heads may require to comply with the policy

The following include all research activities that are exempt from the policy:

• Any research taking place in commonly accepted educational settings (ie: research on educational strategies, instructional techniques, curriculum)
• Any research that uses educational tests, surveys, interviews, or observation of public behavior unless personally identifiable information is obtained and may be linked with the test subject in the records or disclosure of the subject’s responses could be publicly damaging.
• Any research that uses educational tests, surveys, interviews or observations of public behavior where the human subject is an elected official or candidate for office or where federal regulations require confidentiality to be maintained.
• Any research that involves collecting existing data, documents, or specimen if the source is publicly available or the subjects cannot be identified through the information
• Any projects that are conducted to study, evaluate or examine: public benefit or service programs; the procedures for obtaining such benefits; possible changes to the benefits or service available
• Any research that involves testing the taste of quality of food as long as: the food is wholesome and without additives; the food contains ingredients considered safe by the Food and Drug Administration or Environmental Protection Agency

Institutional Review Boards

Before any research may be conducted, an institution that must comply with the policy must file written assurance with the Office for Protection from Research Risks, Health & Human Services. For an assurance approval, an institution must provide proof that an institutional review board (or several)  has approved the research to be conducted and that the research will be continually reviewed by the committee.

It is the duty of Institutional Review Board (IRB) to approve, monitor and review all research involving human research subjects. All IRBs are composed of at least five members, experience and diverse enough to make sound decisions regarding the project being conducted. In addition, each IRB must contain a “Community Member” that is not a scientist or affiliated with the agency.

Informed Consent

Before a subject may participate in a research project the investigator must obtain legally effective informed consent. As one of the Fair Information Practice Principles, consent is vital to protecting an individual’s privacy and well being.

A subject should receive adequate time to consider their participation. The information they receive must be written in clear and understandable language. Further more, no consent may include exculpatory language, which completely frees the researchers from responsibility towards protecting the subject and their privacy.

In order to make informed consent, prospective subjects must receive the following information:

• Any reasonable benefits and complications they may experience
• A list of alternative treatment options
• A statement regarding how the confidentiality of documents containing identifiable information will be maintained
• Explanations of compensation or further medical treatment, should an injury occur
• Contact information should the subject have further questions regarding their rights, or should an injury occur
• A statement reminding the subject that their participation is voluntary and that they will receive no penalty for refusing to participate

The rule also prohibits the use of undue influence or coercion to obtain consent. Undue influence may include providing subjects with large sums of money or other benefits which may cloud the decision-making process. For research being conducted in schools where credit may be used as an incentive to participate, a non-research based alternative to receive the same credit must also be made available to the students.

Summary:

The Common Rule for Protection of Human Subjects is an important policy dealing with the physical safety of research subjects and the handling of their personal information. Continuous research is required to advance science, develop new technologies and determine whether products are safe for human consumption. Regardless of their status, compensation or reasons for entering a study, test subjects are guaranteed protection under this policy.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

•   Common Rule for Protection of Human Subjects (II.B.b.iv.)

“To enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.”

Section 208 of the E-Government Act is devoted specifically to privacy concerns. It  placed four specific requirements on Government agencies:

• Conduct Privacy Impact Assessments for electronic information systems and records and make them available to the public
• Post privacy policies to all agency websites
• Implement P3P (machine-readable) privacy policies on agency websites
• Submit annual reports to the Office of Management and Budget regarding compliance with the Act

Website Privacy

All government agencies are required to post privacy policies on their general websites as of December 15, 2003. The privacy policy rule does not apply to: information not considered “government information”; intranet websites only used by authorized government users; national security systems.

All Privacy Policies:

• Require consent from the individual for information collection and sharing. Website visitors must be told whether the information requested is voluntary or mandatory as well as how to grant consent for the collection of both voluntarily and mandatorily provided information.
• Must notify individuals of their rights under the Privacy Act and other privacy laws such as HIPAA, the IRS Restructuring and Reform Act of the Family Educational Rights and Privacy Act. Notification must be placed in the body of the website’s privacy policy, linking to the official text of the legislation or the official summary of statutory rights.
• Must implement machine readable (P3P) privacy policies into their websites.
• Must comply with the relevant Office and Management and Budget Memorandums which concern the content and use of privacy policies:
  • Memorandum-99-18 Requires the inclusion of two content areas: Consent to collection and sharing; Rights under the Privacy Act or other privacy laws (as outlined above) OMB M-99-18 also requires the posting of privacy polices on the main web site, any major entry points to the site and on every page that collects personally identifiable information. Further it requires privacy policies to be clear, conspicuous, accessible and easy to understand.
  • Memorandum-99-05 Deals with the administrative side of privacy protection.  M-99-05 requires all employees and contractors to be educated in their responsibility towards privacy protection. All individuals that may have day to day responsibility for implementing section 208 must be identified. A senior official or officials must be appointed to oversee privacy matters in the agency, serve as the principle information technology contact and review the agency’s Privacy Impact Assessments.
  • Memorandum-00-13 Prohibits the use of persistent cookies or web beacons to track visitor traffic at their website unless authorized by a senior official due to compelling need. If tracking cookies are used, the privacy policy on the agency’s website must include the type of information collected, how and why it is collected and used, whether the information is disclosed to third parties and how the information will be protected by privacy safeguards. All agencies must submit reports for the use of persistent tracking cookies. OMB M-00-13 does allow the use of session cookies to track activity during a single session
• Must continue to implement the privacy protections enforced by other regulations. Privacy policies should assure visitors that the information technologies used protect data during all phases of its life cycle. They should assure compliance with the Privacy Act of 1974 regarding how information is handled and complete regular evaluations to ensure compliance. Furthermore, the agency must fully adhere to their stated privacy policies.

Privacy Impact Assessments

The E-Government Act requires agencies to conduct Privacy Impact Assessments to achieve three main goals:

• Ensure that information handling complies with all applicable laws, regulations and policies regarding privacy.
• Assess the risks and effects to the individual of collection, maintaining, using and disclosing personally identifiable information
• Evaluate current protections, their effectiveness and consider possible alternatives better protect data from privacy violations.

When must a PIA be conducted?

All PIA should be conducted to the collection, use or disclosure of information in identifiable form. A PIA is required:

• Prior to developing or obtaining and IT system or process which collects, stores or discloses personally identifiable information
• Prior to instituting a new electronic means of collecting identifiable information from 10 or more individuals
• When converting paper records to electronic records
• When anonymized data in an information system is changed into identifiable form
• Prior to significant changes of an existing IT system when such changes effect how identifiable information is managed in the system
• Prior to the merging of information (most often completed through matching programs with other agencies)
• When a new user authentication technology is used to allow public access to government information
• Before information purchased from commercial or public sources is merged into existing information systems maintaining personally identifiable information
• When two or more agencies work together to share function or uses of personally identifiable information, the lead agency should prepare the PIA
• When internal business process result in significant changes of the use, disclosure or collection of identifiable information.
• When additional data elements containing information in identifiable form are added to an information system and increase the risk to personal privacy.

There are a few exceptions to the Privacy Impact Assessment rule. A PIA is not required:

• When the information relates to internal government operations
• A previous evaluation has been conducted in an assessment  similar to a PIA
• When privacy issues remain unchanged. Examples of such situations include:
  • Government information systems that do not maintain information in identifiable form or about members of the general public
  • When the government-run public website is only used to collect limited information from individuals for the purpose of providing feedback to their inquiries or requesting additional information
  • National security systems
  • When privacy protection is addressed in a matching agreement as pursuant to the Privacy Act
  • When privacy protection is addressed in an interagency agreement allowing the merging of data only for statistical purposes and PII remains private pursuant to Title V of the E-Government Act
  • If the IT systems collects information in non identifiable form for purposes other than the matching or merging of that data with other databases

What does a Privacy Impact Assessment contain?

Each PIA must contain the following information:

• The nature, source of collected information
• The reasons behind the collection of information
• The intended uses and disclosures of collected information and how the individual can provide their consent
• The technical and administrative safeguards used to protect the information
• Whether the information system falls under the definition of system of records under the Privacy Act
• An analysis of the PIA and the steps taken by the agency to remedy and problems or weaknesses

What is the Significance of Privacy Impact Assessments?

Privacy Impact Assessments are public documents that allow ongoing monitoring and assessment of privacy protection implementation and effectiveness. All PIAs must be evaluated by the Chief Information Officer in the Office of Management and Budget. The CIO’s job is to evaluate all PIAs for compliance and ensure implementation of the necessary procedures.

Further more, they provide the public with insight into how the Federal Government collects, uses, maintains and protects personally identifiable information. Under Section 208B, Privacy Impact Assessments should be made available to the public through publication on the agency’s website or publication in the Federal Register, though this requirement may be waived for security purposes.

PIAs are similar to the Systems of Records Notice (SORN) required under the Privacy Act of 1974 which created a Federal Register documenting all information systems which use personally identifiable information to retrieve records. Privacy Impact Assessments allow for stronger privacy protections by requiring greater detail and by applying to some records systems which are exempt from filing SORNs.

Summary:

With the integration of new technology into record keeping systems, the U.S. Government recognized the need for new legislation regulating the use of such technologies by the Federal Government. Section 208 is particularly important in privacy legislation because it increases the protections granted under other privacy legislations such as the Freedom of Information Act and the Privacy Act of 1974. Furthermore, it regulates the collection, use and disclosure of personally identifiable information over the Internet, requires regular enforcement through the use of Privacy Impact Assessments and provides public access to government activities through regular reporting and publication of those assessments.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The E-Government Act of 2002 including website privacy policy and Privacy Impact Assessments (I.C.c.i.-ii.)

The Privacy and Civil Liberties Oversight Board

The Intelligence Reform Act of 2004 required the creation of a Privacy and Civil Liberties Oversight Board. It is the responsibility of the board to help the President and other policymakers protect the privacy and civil liberties of all citizens when creating and implementing regulations. The Board consists of five members selected by the President. The Chairman and Vice Chairman of the Board must also be approve by the Senate.  Board members are United States citizens that are not members of the Federal Government. They are selected based on their individual qualifications and experience related to privacy and civil liberties advocacy and protection.

Privacy and Civil Liberties Officers

Section 803, requires the designation of a senior official or officials within a number of major Government departments and agencies to oversee privacy and civil liberties within their department. It is the responsibility of a Privacy and Civil Liberties Officer to:

• Assist officials as they develop and institute new policies, procedures and regulations to make sure that privacy and civil liberties are taken into account
• Investigate the department periodically to evaluate the consideration of privacy and civil liberties in its guidelines and procedures
• Ensure that the agency has an appropriate redress mechanism to investigate and resolve privacy and civil liberties complaints
• Help policy makers balance the need for power the the protection of privacy and civil liberties and that adequate guidelines are implemented to ensure such protections

The policy also created rules to prevent government employees from discouraging or negatively impacting a Privacy and Civil Liberties Officer’s ability to carry out their responsibilities.  All agencies are require to give the necessary resources and personnel to their designated Officer so that they may successfully complete their responsibilities. The Officer must be consulted by decision makers and be advised of any possible policy changes. Furthermore, no reprisal or threat of reprisal may be issued to an employee for sharing information with the Officer unless their claim is willfully false.

Enforcement

Privacy and Civil Liberties Officers must file quarterly reports of their activity with the relevant Congressional Committees, the head of their department and the Privacy and Civil Liberties Oversight Board.

Each report must include:

• Information regarding the number and types of reviews completed
• The advice the Officer issued and the response it received in the department
• The type and number of privacy and civil liberties complaints received
• A summary of how the complaints were resolved, including how they were investigated and resolved, as well as their impact on privacy and civil liberties in the department.

All reports to Congress must be made available to the public, except that information considered to be classified.

Summary:

The Privacy and Civil Liberties Oversight Board and the designation of Privacy and Civil Liberties Officers is an important step in developing regulations that protect such rights. However, the Oversight Board and Officer positions play an advisory role, and they have no real authority to enforce their recommendations. Though both the National Security Reform Act of 2004 and the Implementing Recommendations of the 9/11 Commission Act of 2007, recognize the need to consider privacy and civil liberties during the development of new policies and regulations, there is still a ways to go before privacy and civil liberties are guaranteed protection.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Section 803 of the Implementing Recommendations of the 9/11 Commission Act

It’s a jungle out there

Disorder and confusion everywhere

No one seems to care

Well I do

Hey, who’s in charge here?

It’s a jungle out there

The Privacy Act of 1974 is a public sector law that regulates the use of personal information by the United States Government.  Specifically it establishes rules, similar to the Fair Information Practice Principles that determine what information may be collected and how it may be used in order to protect the personal privacy of U.S. citizens.

Data Collection and Management

The Privacy Act of 1974 applies to Federal Government Agencies and governs their use of a system of records. By definition, a system of records is “any group of records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

The following rules govern the use of a system of records:

• No Federal Government record keeping system may be kept secret
• No agency may disclose personal information to third parties without the consent of the individual (with some exceptions)
• No agency may maintain files on how a citizen exercises their First Amendment rights
• Federal personal information files are limited only to data that is relevant and necessary
• Personal information may able be used for the purposes it was originally collected unless consent is received from the individual.
• Citizens must receive notice of any third party disclosures including with whom the information is shared, the type of information disclosed and the reasons for its disclosure.
• Citizens must have access to the files maintained about them by the Federal Government
• Citizens must have the opportunity to correct or amend any inaccuracies or incompleteness in their files

Data Sharing

The Privacy Act of 1974 places restrictions on the ability of Federal agencies to share a system of records with third parties, including other agencies. However, the Privacy Act does recognize the need of the government to share records in order to improve security, maintain accuracy and consolidate resources. This is often accomplished through matching programs which allow certain data elements in one system of records to be searched against records in another system in order to find any data matches. Such matches would link together the information from both systems.

In order for any agency to run a matching program with a system of records from an another agency, their must first be a written agreement between both parties. The Committee on Governmental Affairs of the Senate, and the Committee on Government Operations of the House must receive a copy of the agreement. It must also be made available to the public.

A Data Sharing Agreement:

• Must state the purposes and legal justifications for the matching program
• Must provide rational for the program by estimating the results and savings that will be achieved
• Must describe the records to be matched including the specific data elements, estimate the number of records to be matched and provide estimated start and completion dates for the program
• Must describe how the privacy principles of the Privacy Act will be implemented in the program (ie: notice to the individual, ensure accuracy and completeness, limited used of results)
• Must provide an accuracy assessment of the unmatched records
• Must include a statement allowing the Comptroller General to monitor compliance with the Privacy Act if necessary.

Federal Register

To ensure that no system of records is kept secret, the Privacy Act requires all government agencies to provide a System of Records Notice (SORN) to biennially to be published in the Federal Register. Each SORN must also be published on the agencies website under the Electronic Privacy Act Amendment.

Each SORN must contain:

• The name location of the records system
• The title and business address of the individual overseeing the system of records at the agency
• The types of individuals about whom records are kept
• The categories of records kept in the system
• The general sources from which data is collected
• The privacy and usage policies of the agency, including those for access controls, storage, retrievability and destruction.
• How an individual may determine if an agency maintains a record about them in their system of records
• How an individual may gain access to the records an agency maintains about them

Exceptions to the Privacy Act

While the Privacy Act did take significant steps towards protecting privacy, there are a few important distinctions within the act that create holes in its protection.

The Privacy Act only applies to a system of records maintained by an agency. Records systems kept by government institutions not considered an agency are exempt. Further more a system of records is defined as a group of records which uses personally identifiably information or signifiers to retrieve a file. There may be records systems which contain personal information but does not use that information to search for and gain access to a record. Such system of records would also be exempt under the Act.

The Privacy Act also contains a “routine use” exception which allows the disclosure of information without the notice or consent of the individual. Routine use is defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected.” The vague definition of routine use allows agencies to expand their definition of compatible purpose at will, eventually allowing more and more information to be disclosed under the routine use exception. As long as the SORN contains a listing of the routine uses of the information, an agency is considered compliant with the Privacy Act.

Summary

Like the Freedom of Information Act, the Privacy Act of 1974 seeks to protect the privacy of U.S. citizens by giving them the ability to monitor the use of their personal information by the U.S. government. Though the Privacy Act does make significant steps in the protecting the right of privacy, it is also limited enough in its scope and implementation to only provide adequate protection. Privacy professionals and U.S. citizens should be familiar with the Privacy Act of 1974 in order to effectively understand their rights and work to create more comprehensive privacy legislation in the future.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The Privacy Act of 1974 (I.C.b.i.-iv.)

What Information is Viewable Under the Freedom of Information Act?

All records maintained by the Executive branch are viewable except those that meet one or more of the following exceptions:

• The information is classified for national defense or foreign relations
• The information relates only to internal personnel rules and procedures
• The information is prohibited from disclosure by other legislation
• The information contains trade secrets, commercial or financial information that must remain confidential
• The information relates only to communications within the agency or between agencies
• Contain personally identifiable information or personal health information that would violate personal privacy
• Used for law enforcement purposes that may:
  • interfere with law enforcement proceedings
  • interfere with a person’s right to a fair trial
  • constitute an invasion of privacy
  • disclose the identity of a confidential source
  • disclose techniques or procedures used by law enforcement
  • present danger to the life or safety of any individual
• Relate to the supervision of financial institutions
• Relate to geological information on oil wells

It should be note that the Freedom of Information act specifically applies only to the Federal Government and only pertains to the Executive branch. The judicial and legislative branches have different procedures for the release of information to the public. Many states have enacted similar laws to the Freedom of Information Act to provide the same protection on a state level.

How to Obtain Information Under the Freedom of Information Act?

1)  A FOIA request must be submitted in writing to the appropriate agency. In order to protect individual privacy, a request may require authentication of identity through the completion of Form DOJ-361; or submitting an authorized signature.

2)  After the request has been received, the individual will usually receive a confirmation response within a few weeks. Under the FOIA an agency must be respond within 20 working days after receipt at the correct agency.

3)  If the request has been granted, an agency may contact the requester to narrow the scope of the request or discuss fee status. Once all issues are resolved an agency will: release all documents; release parts of the documents; withhold documents; not find any responsive documents.

4)  If the request is denied, the requester may submit an appeal (see below).

Response Times

Though the FOIA requires agencies to grant or deny requests within 20 working days, there are a number of “unusual circumstances” which permit an extension of 10 days for  the granting or denying of a request as long as the requester receives notice of the extension and the reasons behind it such as:

• Need to search and collect requested records
• Need to search, collect and examine a large amount of records demanded in a single request
• Need for consultation with another agency for determination of the request.

Though the FOIA requires timely response, due to the enormous backlog of requests this is not always enforced. The receipt of requested documents may take anywhere from one week to several years.

Some individuals have attempted speed up processing times by submitting multiple requests or submitting several, separate, narrow requests. This may not always effect processing time as the FOIA allows related requests made by the same individual or for similar purposes to be aggregated together.

Expedited processing may occur if:

• Timely receipt of the material is needed to prevent imminent threat to the life or physical safety of an individual
• the information is being used to disseminate information to the public about government activities

Fees

To cover the costs of materials and resources used in completing an FOIA request, a fee may be issued to be paid by the requester. An FOIA request should include a maximum amount the requester is willing to pay in order to be processed. Currently reproduction fees are $0.10 per page plus the hourly search and review fee which depends on the administrative level of the employee required to complete the search (usually between $16 and $80 an hour). If the fee is likely to exceed $250, the agency may request advance payment, otherwise payments should be paid in a timely manner upon receipt of the bill.

Fees may be waived on a case by case basis if the records are considered “likely to contribute significantly to the public understanding of the operations or activities of the government and not primarily in the commercial interest of the requester.” Reduced fees are also available for educational and media related purposes.

Redaction/Segregations

If a requested document contains information that falls under one of the 9 exemptions but also contains information permitted disclosure under FOIA, all information that may disclosed must be released to the requester.The document must use a “black out” or other visible marking of the document to conceal the redacted information so that the requester may see how much information was not released and where if falls in the document. The exemption causing the segregation must also be noted on the document.

Appeals

A requester may appeal if:

• They were denied access to the requested records
• They were partially denied access to the requested records
• They believe the fee to be too high
• They did not receive a response within 20 days.

If a requester seeks to appeal a denial, they must submit the appeal within a timely manner (usually 30-90 days after receipt of the denial.) Agencies should respond within 20 working days, however appeals are known to take much longer. If an appeal ends in a second denial, an individual may file a lawsuit with a U.S. District Court to access their information. Unfortunately the Federal Government may sometimes use denials as a stall tactic or because they know many people will not follow through with an appeal or litigation. Due to the backlog of requests and appeals, some requests are denied when they rightfully should be granted. Pursuing an appeal or filing a complaint often quickly resolves the issue.

Reports

The Freedom of Information Act requires government agencies to file an annual report on the FOIA requests they receive. The Report must contain:

• The number of request received
• Whether the requests were granted or denied
• The processing time for each request
• The number of appeals received
• Whether the appeals were granted or denied

The reports are used to evaluate the effectiveness of the system and to provide citizens with the assurance that their requests are processed fairly.

The Electronic Freedom of Information Act Amendment

The Electronic FOIA Amendment was passed in 1996 to incorporate the use of new technologies such as computers and the Internet into the effective implementation of the Freedom of Information Act. The amendment required that all government agencies make matters of public record available online. Furthermore it allowed the submitting of FOIA requests electronically to help ensure compliance with response times.

Summary

One of the most important tools in making intelligent decisions regarding personal privacy is having access to the information an entity has on record. The Freedom of Information Act protects U.S. citizen’s right access information maintained about themselves by the Federal Government and allows citizens to monitor government activity to discover misconduct and prevent abuse.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The Freedom of Information Act (I.C.a.i-vii.)