OMB to agencies: Review personal data protections

The Office of Management and Budget has directed agencies' senior privacy officials to review and correct any policies and processes to ensure that they protect against misuse of or unauthorized access to personally identifiable information.

The memo, dated today from OMB acting director Clay Johnson, comes on the same day the Veterans Affairs Department announced that electronic data containing the personal information of up to 26.5 million veterans was stolen from the home of a VA employee.

'Because federal agencies maintain significant amounts of information concerning individuals, we have a special duty to protect that information from loss and misuse,' he said in the memo.

The memo re-emphasizes agencies' responsibility to safeguard sensitive personally identifiable information and to train employees on their responsibilities, especially related to provisions of the Privacy Act.

The Privacy Act requires each agency to set the rules of conduct related to any system of records, to instruct each employee as to what is required to comply with them and the penalties for not adhering to them. Under the statute, agencies are required to establish administrative, technical and physical safeguards to insure the security and confidentiality of records.

Agencies are to evaluate all means used to control personally identifiable information, including procedures and restrictions on its use or removal beyond agency premises or control, OMB said. Agencies will include the results in their next report in the fall detailing compliance with the Federal Information Security Management Act.

Within the next 30 days, agencies are to remind their employees of their specific responsibilities for safeguarding personally identifiable information, the rules for acquiring and using such information, and the penalties for violating these rules.

Under FISMA and related policy, agencies are to 'promptly and completely' report security incidents to proper authorities, including the inspector general, law enforcement authorities and, under some circumstances, the Homeland Security Department.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected