IRS writes a script for privacy requirements
By Robert Gellman
Every federal agency faces the same privacy requirements because every agency is subject to the Privacy Act of 1974. For those who are not Privacy Act specialists, the law can be a confusing welter of privacy and records management requirements. The act is actually organized around a framework known as fair information practices, but the framework is invisible to the casual observer.
Understanding the law is a challenge. Deciding when you have a Privacy Act problem can be even more difficult. Figuring out what to do to meet the law's requirements usually requires expert help.
The difficulty is compounded when an agency establishes or modifies a major information system. With today's highly integrated computer systems and networks, a single system can encounter many types of personal information. In crossing internal jurisdictional boundaries, it can trigger some or all of the Privacy Act's requirements.
And to make life more complex, some agencies have separate privacy laws with additional requirements specific to them. Toss into the mix a set of outside contractors that are not accustomed to working in a Privacy Act environment, and you've got the potential for a real mess.
Agencies often have Privacy Act officers, but they are rarely brought into the systems planning process early enough. Many work at too low a level to know what is going on elsewhere in their agency or to insert themselves into the system planning process at the right time.
The Office of the Privacy Advocate at the IRS has a somewhat higher profile than most agency privacy officers. In fact, it doesn't even have day-to-day responsibilities for the Privacy Act. It is supposed to operate on a higher plane.
The IRS' privacy advocate has taken steps to help agency personnel deal effectively with privacy. Last year the office developed its Privacy Impact Assessment (PIA) tool to use in evaluating privacy in information systems. One strategy is to incorporate privacy into the system development lifecycle so that privacy issues will be considered from the earliest stages of design.
The PIA process begins when system developers analyze requirements and make decisions about system design and data storage. You cannot start too early because it is always more difficult and expensive to retrofit a design or system to meet privacy requirements.
The IRS privacy advocate offers training in the PIA process to help system chiefs and developers identify the privacy issues they'll have. To do so, chiefs and developers respond to a list of questions prepared by the privacy advocate.
Questions center around four themes:
- What type of data will the system use'for example, taxpayer or employee?
- Who will have access to the data inside and outside the agency?
- How will the data be used, and how will it operate with other systems?
- What types of administrative controls will the agency use?
System chiefs route to the privacy advocate the PIA document they have prepared. This is a crucial step because system and privacy experts must work together to identify privacy risks and develop design requirements to minimize those risks. If the two groups encounter problems they cannot resolve, they present them to the IRS' chief information officer for resolution.
The IRS PIA is a useful document. Its best feature is the way it establishes the players' roles: the system chief and developer, the privacy advocate and the CIO.
I'd like to see more details and legal specificity in the PIA document. Examples of how the principles were implemented would also be useful. I was a bit surprised that the IRS-specific privacy provisions of the Internal Revenue Code were not more carefully incorporated into the PIA process. But these shortcomings are not showstoppers.
Other agencies can benefit from the work the IRS started. The document is not available online, but it should be. You can get a copy by writing to the IRS privacy advocate in Washington. If your agency isn't developing a complex new personal information system today, it will tomorrow. You might as well begin thinking about how to integrate privacy into that system and your agency operations.
Robert Gellman is a Washington privacy and information policy consultant. His e-mail address is email@example.com.