Think of privacy early and often, CIO Council tells agency buyers
Think of privacy early and often, CIO Council tells agency buyers<@VM>The IRS 10-step guide to good privacy
By Christopher J. Dorobek
When compiling that to-do list for a new system, don't forget privacy, the Chief Information Officers Council is urging.
A guide, developed by the IRS and recently endorsed by the council as a best-practices policy, recommends that privacy protections be integrated during systems development, not added as an afterthought.
'We think there should be a privacy plan for any information that is going to be collected, whether it is a system of records or not,' said Commerce Department CIO Roger Baker, co-chairman of the council's Security, Privacy and Critical Infrastructure Committee.
He likened the approach to the view the government is now taking toward systems security. 'We wanted to get to the point that security is integrated with an information technology system,' Baker said. 'Security is planned as you develop it' as data privacy controls should be, too.
The IRS developed the privacy guide more than two years ago, IRS privacy advocate Peggy Irving said.
'When you look at the methodology ' what we intend to do with this is to minimize the [personal] data that is collected in information systems' to what the IRS needs to do its job, she said.
The CIO Council has posted the 14-page document, The IRS Model Information Technology Privacy Impact Assessment
, on the Web at cio.gov/docs/IRS.htm
. The council acknowledged that the guide contains some details that are relevant only to the IRS but suggested that agencies modify the specifics to meet their own unique requirements.Wonder about this
The IRS guide walks program managers through a list of questions that they should ask about data before they begin collecting it: Who will have access to the data? What are the attributes of the data? What maintenance and administrative controls are needed?
If agencies apply 70 percent of the document, they will be ahead of the privacy game, Baker said.
The council's privacy committee wanted agencies to have a template they could use for their own systems 'as they attempt to bring privacy more to the forefront,' Baker said.
The IRS is using the privacy assessment guide on all new systems and any slated for major renovation, Irving said.
|The IRS 10-step guide to good privacy|
' Protecting taxpayers' privacy and safeguarding confidential information is a public trust.
' The service will not collect or use taxpayer information unless it is necessary and relevant to tax administration or other mandated purposes.
' The service will collect information'to the extent practicable'directly from the taxpayer to whom it relates.
' The IRS, whenever possible, will verify with taxpayers any information collected about them from third parties before taking action based on the data.
' The service will use personally identifiable information only for the purpose for which it collected the data, unless other uses are specifically authorized by law.
' The IRS will dispose of personally identifiable information at specified times, as required by law or regulation.
' Taxpayer information will remain confidential; the IRS will not disclose it to any person within or outside the service unless authorized by law.
' Browsing and unauthorized access of taxpayer information by any IRS employee constitutes a serious breach of confidentiality and will not be tolerated.
' Requirements governing the accuracy, reliability, completeness and timeliness of taxpayer information will ensure fair treatment of all taxpayers.
' The IRS will respect the privacy rights of taxpayers at all times and treat every taxpayer honestly, fairly and respectfully.