OMB developing rules for IT privacy assessments

By late summer, the Office of Management and Budget plans to issue privacy regulations that most likely will affect only new systems.

The E-Government Act of 2002 requires OMB to update its existing regulations and codify how the executive branch secures citizen information collected through the Web, said Eva Kleederman, an OMB policy analyst.

OMB has not yet decided if the guidance will ask for privacy assessments of legacy systems that have new front-end Web links, Kleederman said.

The goal is to have the guidance in place to help agencies during the fiscal 2005 budget process. Agencies have until early September to submit business cases for systems that will require funding in 2005.

'The guidance does not provide a template for agencies to follow,' Kleederman said. 'We don't want to prescribe a method or tool. Agencies should perform privacy assessments throughout their project's lifecycle.'

A handful of agencies are reviewing a draft of the guide, she said last week at the E-Gov 2003 Conference in Washington.

Kleederman said the final directive will touch on five items about the mandatory assessments:

  • What triggers one


  • What type is needed


  • What content must be covered, such as details about data collected and how it is used


  • How in-depth each review must be, which will depend on a system's size and complexity


  • Who will review them and how they will be made public.


  • The guidance also will require agencies to describe in detail their Web privacy policies, such as what information their sites collect and whether posted privacy policies can be easily understood by visitors.

    Stay Connected

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.