GSA tells agencies: Boost privacy measures on Web sites

GSA recommends privacy guidelines



Stay up-to-date on Web technology changes and their effect on
privacy.
Notify the public whenever you are collecting data on the Internet.
Use information only for the sole purpose for which it was gathered
and as was disclosed in the privacy notice.
Protect privacy in all forms of data, including text, graphics, sound
and video.
Balance Freedom of Information Act and Privacy Act requirements.







The General Services Administration is pushing for more privacy protection
on agency Web sites, according to a memo released last month.


“Privacy concerns at federal Web sites will continue to grow as Web technology is
utilized increasingly by the federal agencies for the management of information, in
conducting electronic transactions, in communications and other areas,” said Joan C.
Steyaert, deputy associate administrator of GSA’s Office of Information Technology in
the memo.


“Privacy is a critical issue to the development of federal Web sites and an
underlying principle necessary for promoting electronic business with the public,”
Steyaert said.


The document, posted on the Web at http://www.itpolicy.gsa.gov/mke/fedwebm/privacy.htm,
recommends agencies do three things:


The GSA document contends that privacy “needs to be a common thread throughout
government,” said Richard N. Kellett, director of GSA’s Emerging IT Policies
Division.


The Privacy Act of 1974, which GSA is using to frame its policy, focuses on program
data, Kellett said.


Large-scale electronic commerce in government makes the protection of account numbers,
personal identification numbers and other transaction data of paramount importance,
Kellett said.


Many agencies use the Federal Trade Commission’s privacy statement as a policy
model, Kellett said.


Balancing privacy laws with Freedom of Information Act requests is also difficult, he
said.


Carlynn Thompson, director of research, development and acquisition support for the
Defense Technical Information Center, said Defense Department has even received FOIA
requests for the department’s Web logs.


“We’ve taken the stand that we will not release Web logs to anyone,”
Thompson said. “We do not want to risk revealing preference-type information.”


The only exception would be in response to court orders or law-enforcement efforts to
track down hackers, she said.


Defense’s home site, at http://www.defenselink.mil,
explains the department’s privacy policy to all visitors. “We tell the end user
what we collect and how that information might be used,” Thompson said.


The site informs users that DOD collects some information for statistical purposes.


The site identifies the host name or Internet protocol address of the visitor, the date
and time the person logged on to the site, the site viewed and the size of that site, the
browser the person is using and the last site the person visited.


DOD also notifies users that its sites use security software that monitors traffic to
identify unauthorized attempts to change information or damage the site.


The Office of Management and Budget has also been writing a Web policy.


Agencies must collect from the public “only the information necessary for the
performance of official functions” and must notify users when information is
collected, a draft of the OMB document said. 

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above