The E-Government Act of 2002, containing 5 separate Titles and 40 different sections, created many new regulations for the implementation and use of electronic information in the Federal Government. It’s stated purpose is as follows:
“To enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.”
Section 208 of the E-Government Act is devoted specifically to privacy concerns. It placed four specific requirements on Government agencies:
- Conduct Privacy Impact Assessments for electronic information systems and records and make them available to the public
- Post privacy policies to all agency websites
- Implement P3P (machine-readable) privacy policies on agency websites
- Submit annual reports to the Office of Management and Budget regarding compliance with the Act
All Privacy Policies:
- Require consent from the individual for information collection and sharing. Website visitors must be told whether the information requested is voluntary or mandatory as well as how to grant consent for the collection of both voluntarily and mandatorily provided information.
- Must implement machine readable (P3P) privacy policies into their websites.
- Must comply with the relevant Office and Management and Budget Memorandums which concern the content and use of privacy policies:
- Memorandum-99-18 Requires the inclusion of two content areas: Consent to collection and sharing; Rights under the Privacy Act or other privacy laws (as outlined above) OMB M-99-18 also requires the posting of privacy polices on the main web site, any major entry points to the site and on every page that collects personally identifiable information. Further it requires privacy policies to be clear, conspicuous, accessible and easy to understand.
- Memorandum-99-05 Deals with the administrative side of privacy protection. M-99-05 requires all employees and contractors to be educated in their responsibility towards privacy protection. All individuals that may have day to day responsibility for implementing section 208 must be identified. A senior official or officials must be appointed to oversee privacy matters in the agency, serve as the principle information technology contact and review the agency’s Privacy Impact Assessments.
- Must continue to implement the privacy protections enforced by other regulations. Privacy policies should assure visitors that the information technologies used protect data during all phases of its life cycle. They should assure compliance with the Privacy Act of 1974 regarding how information is handled and complete regular evaluations to ensure compliance. Furthermore, the agency must fully adhere to their stated privacy policies.
Privacy Impact Assessments
The E-Government Act requires agencies to conduct Privacy Impact Assessments to achieve three main goals:
- Ensure that information handling complies with all applicable laws, regulations and policies regarding privacy.
- Assess the risks and effects to the individual of collection, maintaining, using and disclosing personally identifiable information
- Evaluate current protections, their effectiveness and consider possible alternatives better protect data from privacy violations.
When must a PIA be conducted?
All PIA should be conducted to the collection, use or disclosure of information in identifiable form. A PIA is required:
- Prior to developing or obtaining and IT system or process which collects, stores or discloses personally identifiable information
- Prior to instituting a new electronic means of collecting identifiable information from 10 or more individuals
- When converting paper records to electronic records
- When anonymized data in an information system is changed into identifiable form
- Prior to significant changes of an existing IT system when such changes effect how identifiable information is managed in the system
- Prior to the merging of information (most often completed through matching programs with other agencies)
- When a new user authentication technology is used to allow public access to government information
- Before information purchased from commercial or public sources is merged into existing information systems maintaining personally identifiable information
- When two or more agencies work together to share function or uses of personally identifiable information, the lead agency should prepare the PIA
- When internal business process result in significant changes of the use, disclosure or collection of identifiable information.
- When additional data elements containing information in identifiable form are added to an information system and increase the risk to personal privacy.
There are a few exceptions to the Privacy Impact Assessment rule. A PIA is not required:
- When the information relates to internal government operations
- A previous evaluation has been conducted in an assessment similar to a PIA
- When privacy issues remain unchanged. Examples of such situations include:
- Government information systems that do not maintain information in identifiable form or about members of the general public
- When the government-run public website is only used to collect limited information from individuals for the purpose of providing feedback to their inquiries or requesting additional information
- National security systems
- When privacy protection is addressed in a matching agreement as pursuant to the Privacy Act
- When privacy protection is addressed in an interagency agreement allowing the merging of data only for statistical purposes and PII remains private pursuant to Title V of the E-Government Act
- If the IT systems collects information in non identifiable form for purposes other than the matching or merging of that data with other databases
What does a Privacy Impact Assessment contain?
Each PIA must contain the following information:
- The nature, source of collected information
- The reasons behind the collection of information
- The intended uses and disclosures of collected information and how the individual can provide their consent
- The technical and administrative safeguards used to protect the information
- Whether the information system falls under the definition of system of records under the Privacy Act
- An analysis of the PIA and the steps taken by the agency to remedy and problems or weaknesses
What is the Significance of Privacy Impact Assessments?
Privacy Impact Assessments are public documents that allow ongoing monitoring and assessment of privacy protection implementation and effectiveness. All PIAs must be evaluated by the Chief Information Officer in the Office of Management and Budget. The CIO’s job is to evaluate all PIAs for compliance and ensure implementation of the necessary procedures.
Further more, they provide the public with insight into how the Federal Government collects, uses, maintains and protects personally identifiable information. Under Section 208B, Privacy Impact Assessments should be made available to the public through publication on the agency’s website or publication in the Federal Register, though this requirement may be waived for security purposes.
PIAs are similar to the Systems of Records Notice (SORN) required under the Privacy Act of 1974 which created a Federal Register documenting all information systems which use personally identifiable information to retrieve records. Privacy Impact Assessments allow for stronger privacy protections by requiring greater detail and by applying to some records systems which are exempt from filing SORNs.
With the integration of new technology into record keeping systems, the U.S. Government recognized the need for new legislation regulating the use of such technologies by the Federal Government. Section 208 is particularly important in privacy legislation because it increases the protections granted under other privacy legislations such as the Freedom of Information Act and the Privacy Act of 1974. Furthermore, it regulates the collection, use and disclosure of personally identifiable information over the Internet, requires regular enforcement through the use of Privacy Impact Assessments and provides public access to government activities through regular reporting and publication of those assessments.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including: