OMB to agencies: Review personal data protections

The Office of Management and Budget has directed agencies' senior privacy officials to review and correct any policies and processes to ensure that they protect against misuse of or unauthorized access to personally identifiable information.

The memo, dated today from OMB acting director Clay Johnson, comes on the same day the Veterans Affairs Department announced that electronic data containing the personal information of up to 26.5 million veterans was stolen from the home of a VA employee.

'Because federal agencies maintain significant amounts of information concerning individuals, we have a special duty to protect that information from loss and misuse,' he said in the memo.

The memo re-emphasizes agencies' responsibility to safeguard sensitive personally identifiable information and to train employees on their responsibilities, especially related to provisions of the Privacy Act.

The Privacy Act requires each agency to set the rules of conduct related to any system of records, to instruct each employee as to what is required to comply with them and the penalties for not adhering to them. Under the statute, agencies are required to establish administrative, technical and physical safeguards to insure the security and confidentiality of records.

Agencies are to evaluate all means used to control personally identifiable information, including procedures and restrictions on its use or removal beyond agency premises or control, OMB said. Agencies will include the results in their next report in the fall detailing compliance with the Federal Information Security Management Act.

Within the next 30 days, agencies are to remind their employees of their specific responsibilities for safeguarding personally identifiable information, the rules for acquiring and using such information, and the penalties for violating these rules.

Under FISMA and related policy, agencies are to 'promptly and completely' report security incidents to proper authorities, including the inspector general, law enforcement authorities and, under some circumstances, the Homeland Security Department.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected