 |
Cybertelecom Federal Internet Law & Policy An Educational Project |
Federal Privacy Policies
|
Federal Privacy Policies |
|
|
|
While there may be a lack of overall privacy law, the federal government is in the unusual position of having legal obligations concerning personal data collection and management (Congress likes to impose obligations on itself that it is unwilling to impose on the public). Unlike the gathering and collecting of every morsel of factoid by most entities, when the feds are the information squirrels, the nuts have significant rights concerning the information gathered. Where the squirrels wear badges and collect the nuts pursuant to a criminal investigation, then we are on an even more serious branch known as the 4th Amendment and Constitutional restrictions on searches and seizures.
Federal Privacy Policies
Federal agencies are a part of the Executive Branch of the Federal Government. This means that their boss is the President. While the Boss can not pass new laws (that is Congress' job), the Boss can significantly influence policy by issuing Executive Orders that direct the way agencies should conduct their business. Previous Executive Orders have dealt with such subjects as environmental compliance, Y2K compliance, and e-government efforts.
The Clinton Administration issued two Presidential documents known as Memorandum on the issue of privacy. [M-99-18] [M-00-13] [See also M-03-22] These documents, directed at the heads of the Executive Departments and Agencies, instructed agencies to adopt privacy policies, comply with those policies, and, although not required by law, to comply with COPPA. Also, in the height of a ruckus about the covert use of cookies, the President forbade agencies to use cookies except in certain limited circumstances.
According to the Memoranda, federal agencies shall:
- Post privacy policies that are
- clearly labeled, easily accessible, and clearly written,
- on the agency's homepage, all other major entry points to the site, and all pages where substantial amounts of personal information are posted.
- Comply with the privacy policy.
- Not use cookies "unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site, appropriate and publicly disclosed privacy safeguards for handling of the information derived from "cookies"; and personal approval by the head of the agency.
- Comply with the Children's Online Privacy Protection Act.
Executive Orders are instructions from the boss to the different offices. They do not generally create private rights of actions and therefore are not generally enforceable.
Privacy Impact Statements
"A PIA is an analysis of how personal information is collected, stored, shared, and managed in a federal system. Specifically, according to Office of Management and Budget (OMB) guidance, the purpose of a PIA is to (1) ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (2) determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (3) examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks." [GAO Social Media p 6]
- Section 208 of the E-Government Act of 2002 ; 44 U.S.C. Ch. 36
- OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (Sept. 26, 2003)
- Bush Administration Ramps Up Federal E-Disclosure Requirements, OMB 10/3/03
- OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, OMB 10/3/03
- Agencies under fire to assess privacy impact of federal actions, Govexec 7/25/03
Federal Information Security Management Act
FISMA requires federal agencies to train employees and contractors re privacy
Information Breach
- OMB Memorandum 06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006)
- OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007);
- NIST Special Publication 800-61, Computer Security Incident Handling Guide (Jan. 2004).
© Cybertelecom ::