The Office of Management and Budget is one of several Government departments that issues new regulations and recommendations for protecting information maintained by the Federal Government. OMB Circular A-130, Memorandum-01-05, and Memorandum-05-08 are three important documents issued by the Office of Management and Budget for these purposes.
OMB Circular A-130 was first issued in 1985, and was revised several times, most recently in 2000, to establish guidelines for information management in the Federal Government.
When creating Information Management procedures, agencies should:
- Consider data at all stages of its lifecycle
- Consider the effects of such procedures on the public as well as local and stage governments
- Consider the effect on the privacy of individuals
- Use interagency data sharing where appropriate before collecting new information
- Coordinate information system planning with budget, personnel and other resource planning
- Provide the greatest level of protection to the information at greatest risk
Regarding records management and the public, agencies should:
- Provide notice of the existence of such records, the type of information they contain and how to gain access
- Provide public access to the information when appropriate
- Make sure records management programs accurately record government activity
- Implement information dissemination management products that allow timely, cost efficient access.
- Ensure members of the public with disabilities are able to access information dissemination products
- Ensure printed copies of information dissemination products are distributed to depository libraries
- Agencies may use electronic media as an information dissemination product if:
- it is cost effective and practical for large volume access
- the product is disseminated frequently
- most users have the knowledge and training to access the product
Agencies should also practice the following safeguards:
- Make sure the protection of information is commensurate with the level of risk and magnitude of harm caused by misuse of the information
- Limit collection of personally identifiable information to that which is absolutely necessary
- Limit the sharing of personally identifiable information and take steps to ensure confidentiality when disclosure is necessary
- Provide individuals with the right to access and amend their records as required under the Privacy Act of 1974
OMB A-130 also includes guidelines for the implementing and managing of information systems. Such management includes a three step process of selection, control and evaluation. During the selection component agencies consider the cost effectiveness of a system against the benefits it provides and the adequacy of its protections. In the control stage, the system is evaluated for its performance and oversight mechanisms are put into place. During the evaluation stage, regular post-implementation reviews are conducted that consider the cost, benefit and effectiveness of the system and improvements are made accordingly.
OMB A-130 assigned specific responsibilities to several government departments. Appendix I outlines specific oversight responsibilities for the head of each agency. Each department head must:
- Review a random sample of agency contracts every two years to ensure the wording of each act is compliant with regulation
- Review record keeping and disposal practice every two years to ensure compliance with the Privacy Act
- Review routine use disclosures every four years to ensure that the uses of information is still in accordance with the purposes for which it was originally collected
- Review every four years those systems of records exempt from disclosure under the Privacy Act to determine whether such exemption is still need.
- Review agency matching programs on an annual basis to ensure compliance
- Review privacy act training every two years
- Review privacy any privacy violations resulting in civil or criminal liability biennially
- Review Systems of Records Notices every two years to ensure accuracy
Other departments were given additional responsibilities. For example, the Office of Personnel Management must develop Privacy Act training programs; the National Archives and Records Administration must develop procedures for the transfer and archival of records; the Office of Management and Budget must issue guidelines to assist in implementing the Privacy Act.
Lastly, OMB Circular A-130 outlines guidelines for specific reporting and publishing activities required under the Privacy Act.
- A Biennial Privacy Act Report should include:
- Statistics regarding the number or records systems both exempt and non exempt; exempt systems added or deleted; routine uses; the number of access and amendment requests, and appeals and whether they were granted or denied; Number of litigations
- Brief summary of public comments received on agency publications or activities and the agency response
- Results of reviews performed by the head of the agency
- A Biennial Matching Activity Report should include:
- Information on the Data Integrity Board including contact information for the Board Secretary
- Information on each matching program, its purpose and the participating agencies; a cost/benefit analysis; description of any matching agreement rejected by the board with an explanation for the rejection
- A listing of any violation of matching agreements; litigations involved with a participation in a matching program; an explanation of steps taken to ensure the integrity of data for litigations due to inaccurate data
- New or Altered System of Records Report and New or Altered Matching Program Report should be made when changes to the type of information or how it is accessed or protected are altered significantly. Such reports should include:
- A Transmittal letter signed by the senior official responsible for implementing the change
- A Narrative Statement describing the reasons for the change; the authority supervising the system; any potential impacts or effects; how each routine use remains compatible under the Privacy Act;
- Supporting Documentation including a new System of Records Notice
In December 2000, the OMB issued Memorandum-01-05 to provide guidance on sharing personal data among agencies. M-01-05 served as a reminder of privacy protection already enacted under the Privacy Act of 1974, the Computer Matching and Privacy Protection Act and OMB Circular A-130, as well as additional recommendations for added protection.
It reiterated the following existing privacy requirements:
- Notice–agencies using data sharing must notify the individual at the time of application and periodically after that. 30 days before performing a data matching act, a notice must be placed in the Federal Register
- Consent–Agencies must obtain consent from individuals prior to the sharing of data unless one of the exceptions under the Privacy Act is met
- Redisclosure Limitations–Information should not be redisclosed unless it is required by law or necessary to perform a matching program
- Accuracy–Individuals must be provided with the right access and amend their information as required under the Privacy Act. If an agency plans to take adverse action against an individual due to information gained through a matching program, the information must be independently verified.
- Security Controls– Data must be guaranteed the same level of protection when shared with another agency or such disclosures mat not occur. Agencies should follow OMB Circular A-130 and NIST guidelines to adequately protect data.
M-01-05 also made additional recommendations:
- Minimization–the amount of personally identifiable information collected should be limited only to that which is necessary.
- Accountability–Agencies must be held responsible for upholding privacy principles during data sharing. Oversight and enforcement mechanisms should be implemented in ensure compliance
- Privacy Impact Assessments–PIAs should be completed before implementing new data systems to ensure adequate protection of information.
In February 2004, M-05-08 was issued to allow the designation of Senior Agency Officials for Privacy. The creation of such a role was taken in accordance of Executive Order 13353 which established the Safeguarding American Civil Liberties’ Board.
Under M-06-08, each agency must designate an official (such as the Chief Information Officer or a senior official with wide privacy responsibilities) to oversee privacy issues in the agency.
The Senior Agency Official of Privacy must:
- Hold overall responsibility and accountability for implementing privacy protection in the agency
- Ensure compliance with privacy laws such as the Privacy Act and the Federal Information Security Management Act
- Review the agencies privacy procedures and implement any necessary improvements
- Ensure employees and contractors receive adequate privacy training
- Be consulted heavily during the policymaking process to ensure privacy considerations play a role in the development of new laws and procedures
The Office of Management and Budget plays a significant and ongoing role in the implementation of privacy protection in the U.S. Government. Though the laws such as the Privacy Act and the Freedom of Information Act legally protect individual rights. It is documents such as OMB A-130, M-01-05 and M-05-08 that help agencies implement the laws effectively.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- Federal Agency Responsibilities including OMB Circular A-130 (II.C.i.1) and other OMB Provisions including M-01-05 (II.C.i.2.a) and M-05-08 (II.C.i.2.d)