Office of the Chief Information Officer

1
Office of the Chief Information Officer
Electronic Government and Privacy Protection

2
Why do I need to know about the Privacy Act?

• One reason is that the Privacy Act requires it
  Persons who are involved in the design,
  development, operation, or maintenance of a
  system of records, or in maintaining any record
  must be instructed in the rules and requirements
  of the Privacy Act (see 5 USC 552a(e)(9)).
• (See also 383 DM 9)
•  

3
What is the Privacy Act?

• The Privacy Act of 1974 (5 U.S.C. 552a)
  establishes safeguards for the protection of
  records the Executive Branch of the federal
  Government collects and maintains on individuals
  who are United States citizens or lawfully
  admitted permanent residents.

4
What is the Privacy Act?

• You may be surprised by the diverse scope of the
  Privacy Act. For example, were you aware that it
  includes requirements for
• Limiting the collection of personal information
  from individuals,
• Publishing notices about information collected,
• Restricting the use and disclosure of personal
  information,
• Providing certain rights to the subject of the
  record, and
• Safeguarding the information?

5
What is the Privacy Act?
Privacy Act requirements are found in each phase
of the life cycle of an information system
Collection
Maintenance
Use
Disposition
6
What Does it Apply to?

• The Act Applies to Individuals
• (I.e., United States citizens, and lawfully
  admitted permanent residents)
• It does not apply to information about -
  Businesses, and
• Organizations (including persons representing
  them), and
• Statistical information not linked to the person

7
There are Penalties for Violations

• One reason why it is important to know the
  Privacy Acts requirements, is that there are
  civil and criminal penalties for violating
  certain requirements of the Act.
• There are penalties for
• Prohibited disclosures,
• Maintaining a system without a published notice,
  and
• Obtaining information under false pretenses.

8
The Privacy Act and Privacy Policy Apply to
Information in any Format

• Paper Records
• Databases
• Intra and Inter-Agency Data Sharing
• Data Matching
• Websites
• New Technology (e.g., GIS, Wireless)

9
-- Collecting Information from Individuals

• The Privacy Act has certain requirements for
  collecting information from individuals
• These include
• 1) Maintaining only information that is
  relevant and necessary to accomplish a
  purpose of the agency required by statute or
  Executive Order,
• 2) Trying to collect the information directly
  from the subject of the
  file, and

10
Collecting Information from Individuals

• 3) Providing a Privacy Act notification
  
  
  statement to the individuals providing
  information which must include
• - The authority to collect the information
  
• - The purpose for which the information
  will be used
• - Other parties outside the Department to
  whom the information will be shared
• - The effects of not providing the
  information
• This is required for paper and electronic forms
  on websites

11

Collecting Information from Individuals

• A companion to the Privacy Act is the Paperwork
  Reduction Act (PRA).
• It also has requirements for collecting
  information from members of the public.
• Contact your bureau/office Information
  Collection Clearance Officer if you are
  collecting the same information from 10 or more
  members of the public.

12

What are E-Government Act Privacy Requirements?

13
E-Government Act of 2002 Privacy Requirements

• Topic 1 Key Provisions of Section 208
• Topic 2 Web Privacy Requirements
• Topic 3 The Privacy Impact Assessment

14
E-Government Act of 2002 Privacy Requirements

• Goal of bringing the Government more fully into
  the electronic age and improving public access to
  e-Government services. 
• New rules for federal agencies that are designed
  to protect the privacy of citizens using
  e-Government services
• (see Sec. 208 of the Act, and
• OMB Memo M-03-22)  

Dont let privacy be road kill on the
information highway!!
15
Why the Focus on E-Gov and Privacy?

• Concern over easy
• aggregation and linking of data
• Profiling, creating valuable information packets
  on individuals
• Information once released
• cant be retrieved
  
• sent instantly and globally

16
Why the Focus on E-Gov and Privacy?

• Concern of public over loss of control of
  information
• Concern over loss of confidence and trust in
  Government electronic services
• The new E-Gov formula -
• Ease, Engagement,
• Privacy and
• Protection
• (See Excellence in Government Report of
• April 2003)

17
E-Government Act of 2002 Privacy RequirementsWeb
Privacy Requirements

• The E-Government Act of 2002 includes web privacy
  policy requirements. They include
• 1. Posting Web privacy policies on websites that
  are major entry points and frequently visited
  websites,
• 2. Posting specific Web privacy policies when
  collecting information from the public from
  interactive web forms, and
• 3. Posting specific Web privacy policies
  according to the Federal Trade Commission
  standards when pages are directed at children 13
  yrs or under.

18
E-Gov Web Privacy Requirements?

• In OMB Memo M-03-02, Attachment A, Section III
  provides Privacy Policies on Agency Websites
• Key Points
• Follow current web privacy policy (see OMB
  privacy policy website at www.whitehouse.gov/omb/p
  rivacy/website_privacy.html)
• Web privacy policy notices (See DOI umbrella
  privacy policy notices at http//www.doi.gov/foote
  r/privacy.html and
• Specific notices when collecting information from
  the public (for example http//www.volunteer.gov
  /gov/privacy.cfm)

19
Understanding the Privacy Impact Assessment (PIA)

• Introduction
• The PIA is required by the E-Government Act. It
  is basically a checklist or tool to ensure that
  new or modified electronic collections of
  information on individuals
• - Are evaluated for privacy risks.
• - Are designed with Privacy Act life
  cycle management requirements (collection,
  maintenance, use, safeguards and records
  scheduling).
• - Ensure that appropriate privacy
  protection measures are in place.

20
Understanding the Privacy Impact Assessment (PIA)

• When do you Complete a PIA?
• At different stages of a projects life cycle
  -each phase may have new privacy risks.
• When collecting information from websites
  (eforms, surveys, etc)

21
Understanding the Privacy Impact Assessment (PIA)

• When Do You Submit Copies?
• DOI IT Security Asset-Valuations
• DOI IT Security Certification and Accredidations
• OMB Exhibit 300s
• Identify on websites collecting information from
  the public
• Identify in Privacy Act system of records notice
  in the Federal Register
• Identify in OMB Information Collection Clearance
  packages

22
Understanding the Privacy Impact Assessment (PIA)

• DOI Requirements
• DOIs PIA requirements extend to all systems that
  contain information on individuals (includes
  systems with information on BOTH employees and
  members of the public)
• (OMBs provides option in (OMB - M-03-22)).
• DOI requires that all systems perform a
  preliminary review for information on
  individuals - DONT CONFUSE THIS WITH DOING A
  COMPLETE PIA

23
Understanding the Privacy Impact Assessment (PIA)

• DOI Requirements
• The preliminary review is documentation to
  verify that weve looked at all systems to
  determine if they maintain information on
  individuals (keep it with the metadata).
• Doing this preliminary review (completing The
  PIA template questions up to B.1.a.) will help
  you to determine if you need to continue on and
  complete the PIA.

24
Understanding the Privacy Impact Assessment (PIA)

• DOI Requirements
• If you determine that there is no information on
  individuals in the system then there is no point
  in completing the rest of the PIA document.

25
Understanding the Privacy Impact Assessment (PIA)

• OMBs Requirement for
• Exhibit 300s
• OMBs requirement for Exhibit 300s is narrower
  than DOIs.
• OMB only requires a PIA for systems that maintain
  information on individuals WHO ARE MEMBERS OF THE
  PUBLIC.

26
Understanding the Privacy Impact Assessment (PIA)

• OMBs Requirement for
• Exhibit 300s
• OMB has explained that General Support Systems
  would require a PIA when it maintains
  information on individuals (i.e., collects,
  stores, uses, disposes of the information).
• In regard to networks, if these are just conduits
  of information and not maintained in regard to
  the above a PIA is not required.

27
Understanding the Privacy Impact Assessment (PIA)

• OMBs Requirement for
• Exhibit 300s
• OMB is NOT interested in the DOI preliminary
  reviews or PIAs done for systems that maintain
  information on employees (optional)
• Mark No PIA when there is found to be no
  information on individuals in the system
  (Remember the preliminary review is NOT a
  PIA)

28
Understanding the Privacy Impact Assessment (PIA)

• References
• OMB Memo of 9/26/03 (M-03-22) on implementing the
  Privacy Provisions of the E-Government Act
• OCIO Directive of 10/18/02 on implementing PIAs
• Privacy reference material on the DOI Privacy
  Program Webpage
• www.doi.gov/ocio/privacy

29
Where Can I Go for More Information

• The DOI Privacy Program Website
  www.doi.gov/ocio/privacy contains links to all of
  the relevant statutes and regulations. In
  addition, this website provides information on
  the following topics related to privacy
• The federal budget process
• Federal contracts
• Geographic information systems
• Interagency data sharing
• Privacy Impact Assessments
• Websites directed at children

30
Interiors E-Privacy Measures as a Best Practice
DOI PIA in Attachment to the Report
http//www.iaconline.org/sigs/egov/040317privacy.p
df
31
Coming Early 2005DOI University Computer
Based Training for All Employees on an Overview
of the Privacy Act
32
Any Questions?
Contact your Privacy Act Officer (see list at
http//www.doi.gov/ocio /privacy/) Or
contact Marilyn Legnini DOI Privacy Act
Officer 202-219-0868 Marilyn_Legnini_at_ios.doi.gov