@Info.Policy: Are e-gov act's privacy reviews a hollow demand?

Robert Gellman

So much legislation with information policy implications passed at the tail end of the 107th Congress that it will take a long time to digest it all. I thought I would start with the E-Government Act of 2002.

Many sections of this law are worthy of discussion, but let's focus on the privacy provisions in Section 208. The core requirement is that agencies must conduct privacy impact assessments before developing or procuring information technology that collects, maintains or disseminates identifiable information.

A privacy impact assessment is also required for any new information collection that uses IT and that includes information in an identifiable form that could permit physical or online contact with a specific individual.

Note right away that this key clause uses two standards of identifiability in the same sentence. And both standards differ from the definition in the Privacy Act of 1974. Identifiability is a difficult enough concept. Having multiple approaches does not help at all.

The legislation directs the Office of Management and Budget to provide guidance to and oversight of the privacy impact assessment process. Congress used that model in the Privacy Act of 1974, too.

If we've learned anything after all these years, it's that OMB does not care about privacy. Repeatedly Congress has asked OMB to focus on privacy but has been disappointed. Privacy implementation and oversight by OMB seems doomed to failure.

The substantive content of a privacy impact assessment must await guidance from OMB. But the statutory requirements do not go beyond what the Privacy Act already requires.

Will OMB add real meat to the bare bones of the new law? If you think it will, then you probably skipped over the previous paragraph.

Even more troubling, the privacy impact assessment process misses a vital step. An agency must conduct an assessment and have the agency CIO review it. Then, and only if practicable, must the agency make the assessment publicly available.

There is no role for the public during preparation and no requirement that the agency solicit, wait for or consider public comments.

Finally, the law does not require an agency to do anything with a privacy impact assessment. An agency need not consider the assessment, respond to its findings or conclusions, or take it into account in any formal way. Just assess, publish if practicable and send a copy of the assessment to OMB. But then, an agency is free to continue doing what it wants without regard for the privacy assessment.

Nevertheless, I welcome the requirement. Privacy impact assessments really can help agencies address privacy issues in a constructive way. The basic policy is good, but I am mystified about the poorly written statutory language. Still, a privacy impact assessment will help if an agency embraces the spirit of the law.

The law just passed, and already I am asking for miracles, first from OMB and then from agencies. This isn't starting out very well.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@netacc.net.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above