OMB sets new data privacy regulations
- By Jason Miller
- Oct 10, 2003
'OMB left a lot of flexibility to agencies to use their best tool available for their particular environment.'
' USPS' Zoe Strickland
With the release of new privacy rules for electronic information, the federal government is trying to right its somewhat troubled record of protecting personal data.
'You have to really promote privacy,' said Zoe Strickland, chief privacy officer for the Postal Service. 'You must embed it into your organization and make people see this is more than just another requirement you must fulfill.'
The Office of Management and Budget aims to do that in the privacy guidance document it released late last month. It gives agencies flexibility in developing policies that fit their needs but specifies how they must keep information secure.
The guidance, which details how agencies should meet the privacy provisions in the E-Government Act of 2002, is the strongest salvo any administration has put forth in 30 years, many officials said.
'These are potentially the most significant new privacy protections for personal information held by the federal government since the 1974 Privacy Act,' Senate Governmental Affairs Committee spokeswoman Leslie Phillips said. 'The policies will require program officials to plan strong privacy protections in advance, as they develop IT systems and before they begin new collections of information.'
The E-Government Act and the guidance come after failures by the government to protect personal data. As examples of efforts that neglected to secure personal data adequately or put such data at risk of tampering, privacy advocates are quick to recall the Social Security Administration's Personal Earnings and Benefits Estimate Statement system debacle in 1997 and a recent Army data-mining plan that used passenger information from Jet Blue Airways of New York.Past woes
SSA received so much criticism that it had to scrap its system shortly after launching the pilot to allow online access to PEBES. And the Army was condemned for hiring a company to test a terrorist detection system using data about 5 million Jet Blue passengers.
Through this guidance, OMB is trying to make sure the privacy fiascoes of the past don't recur. Agencies now must perform privacy assessments for all new systems and for any system undergoing a major modification.
'There have been so many cases where privacy has been a major issue for the advancement of e-government programs,' Ari Schwartz, associate director for the Center
for Democracy and Technology of Washington, said. 'Putting together this framework where privacy is addressed early on will lead to better information management and ensure better e-government programs.'
In a memo to agency executives, OMB director Joshua B. Bolten outlined how agencies must conduct privacy analyses when developing or buying systems that collect, maintain or disseminate identifiable personal information.
OMB has been working on the guidance for about a year.
Although it had not completed the guidance, the administration asked agencies to submit assessments with the fiscal 2005 budget proposals sent to OMB earlier this month. The guidance makes the privacy reviews a permanent part of the budget process.
'By and large, agencies are complying,' an OMB staff member said. 'It will take time for agencies to understand how to develop their assessments. We have been working closely with them from the beginning while the regulation was being developed. They had a pretty good idea of what was to be expected.'
In his memo, Bolten asked agencies to develop plans by Dec. 15 to make Web site privacy policies machine-readable, which means the statements must be in a computer language that can be automatically read by a Web browser.
But one privacy advocate noted that the requirement limits the technology that agencies can use to meet the Web policy demand. Only the Platform for Privacy Preferences Project specification provides the format for meeting the machine-readable policy, said Robert Gellman, a privacy consultant and GCN columnist.
The standard, created by the World Wide Web Consortium, is a set of specifications for stating privacy practices in a standard format that can be retrieved automatically.
'But no one is using it; there's no buzz about it,' Gellman said. What's more, coding an entire Web site to meet the P3P spec would be 'expensive, difficult and could waste time and money,' he said.
But USPS' Strickland and other government officials downplayed the difficulty of applying the P3P standard. The Postal Service has been using the specification for its Web site.
'It's not as complicated as one might think,' she said. 'It wasn't hugely expensive. It's a matter of understanding your own policies and then feeding that into how your Web template is built.'
In the main, privacy experts lauded the guidance as being detailed but not too prescriptive.
'OMB did a workmanlike job in writing a guidance from a very badly drafted statute,' Gellman said. 'A lot of this stuff, however, depends on the goodwill of agencies and how much they want to do this stuff.'
Many experts said OMB oversight will be key to making privacy a priority in agencies.
'We have some concerns about implementation because the law went into effect in April, but the guidance was months late, and some agencies were slow to get started,' Phillips said. 'It would be a shame if the executive branch did not follow through on this opportunity.'
The OMB staff member said the administration will oversee the implementation of the guidance through normal reporting mechanisms, such as agencies' business cases and the annual E-Government Act report to Congress.
At least two agencies, though, already are applying the privacy assessments to their systems.
'OMB left a lot of flexibility to agencies to use their best tool available for their particular environment,' said USPS' Strickland, who helped write the guidance as a part of an interagency working group. 'For the Postal Service, we married privacy and security to make sure the right controls are in place.'Integrated privacy
USPS developed a questionnaire for program managers to analyze the type of information being collected, sensitivity of the information and protection plan for the data.
'We get the privacy impact assessment signed off before a contract is signed for an IT system,' Strickland said. 'We made sure our privacy needs are met at the right time and integrated with the other functions.'
The Census Bureau also stressed the importance of protecting data.
Shelly Martinez, a policy development team leader in the bureau's Policy Office, said privacy impact assessments are a part of all project plans.
Census developed a privacy evaluation tool internally by asking program managers to answer questions about their systems, such as how data meets the agency's mission, how the data is secured and whether there is public consent to collect the data. Managers then score their answers on criteria that help determine the amount of security and privacy a system needs, Martinez said.
She said it takes about two to three hours for managers to finish an assessment, and Census and Commerce Department officials sign off on each plan. For fiscal 2005, Census performed 20 privacy assessments, and Martinez said that number likely will increase with the new guidance.
'The guidance should get agencies to start thinking about privacy at the beginning of the planning process,' Schwartz said. 'We already are starting to see an impact. It does put pressure on agencies who would not have a privacy person in place otherwise.'