The Consolidated Appropriations Act of 2005 was enacted on December 8, 2005. While the Act is mainly known as for its last-minute budgeting, there were also some important provisions for privacy protection and auditing, which will be focused on in this article.
Privacy & Data Protection in the Act
Among the Act’s many requirements, Section 522 asked that each agency designate a Chief Privacy Officer (CPO) to assume primary responsibility for privacy and data protection policy. The roles and responsibilities of the CPO are as follows:
- Assure that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection and disclosure of information in an identifiable form.
- Assure that technologies used to collect, use, store and disclose information in identifiable form allow for continuous auditing of compliance with stated privacy policies and practices.
- Assure that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as defined in the Privacy Act of 1974.
- Evaluate legislative and regulatory proposals involving collection, use and disclosure of personal information by the federal government.
- Conduct a privacy impact assessment of proposed rules of the department.
- Prepare a report to Congress on an annual basis on activities of the department that affect privacy.
- Ensure that the department protects information in an identifiable form and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Train and educate employees on privacy and data protection policies to promote awareness of and compliance with established privacy and data protection policies.
- Ensure compliance with the department’s established privacy and data protection policies.
In addition to the role of the CPO, the Section 522 also required each agency to:
- Establish and implement comprehensive privacy and data protection procedures governing the agency’s collection, use, sharing, disclosure, transfer, storage and security of information in an identifiable form relating to the agency employees and the public.
- Prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency. Each report shall be signed by the agency privacy officer to verify that the agency intends to comply with the procedures in the report.
- Have an independent third-party review performed at least every two years on the agency’s use of information in an identifiable form.
As mentioned above, Section 522 required federal agencies to conduct an independent, third party review of the use of information in identifiable form as the privacy and data protection procedures of the agency. The purposes of such reviews are as follows:
- Ensure the agency’s description of the use of information in an identifiable form is accurate and accounts for the agency’s current technology and its processing of information in an identifiable form.
- Measure actual privacy and data protection practices against the agency’s recorded privacy and data protection procedures.
- Ensure compliance and consistency with both online and offline stated privacy and data protection policies.
- Provide agencies with ongoing awareness and recommendations regarding privacy and data protection procedures.
Examples of these privacy reviews can be found here.
In response to Section 522 of the Consolidated Appropriations Act of 2005, the Information Security and Privacy Advisory Board (ISPAB) commented that it was a significant step forward in three main ways:
- It recognizes the increased importance of privacy management by the federal government in support of the Privacy Act, other privacy statutes and OMB privacy guidance (e.g. privacy impact assessments of the E-Government Act).
- It establishes agency focus and accountability for information privacy management, by mandating establishment of CPO positions in federal agencies.
- It makes clear that information privacy – though related to information security – requires unique processes and technology support systems, dedicated agency focus, educational efforts and accountability.
Furthermore, the chairman of the ISPAB asked the OMB to consider if the requirements in Section 522 “can be harmonized with other reporting requirements… especially where additional privacy specific reporting would be a logical extension of audit and reporting efforts already being undertaken by agencies… [After all], viewing privacy solely as a technology issue or as subordinate to security risks undercuts the necessity of considering privacy on its own merits. The two areas, privacy and security, are highly interrelated and often mutually supportive, but each requires its own focus.”
This article takes a look at the Consolidated Appropriations Act of 2005, particularly Section 522, which requires federal agencies to create a role of Chief Privacy Officer and submit independent, third party audits to Congress on an annual basis.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/ US Government (CIPP/G), a privacy professional should be comfortable with topics related to this post, including:
- Consolidated Appropriations Act of 2005 – Chief Privacy Officer and audit provisions (I.C.d.i.)