Annually, as part of an annual E-Government Act status report, or updated as necessary when a system change creates new privacy risks.
A Privacy Impact Assessment (PIA) is an analysis of how information is handled to ensure it conforms to applicable privacy laws and policies; to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
Section 208 of the E-Government Act of 2002 (Public Law 107-347, 44 U.S.C. Ch 36) requires the OMB issue guidance to agencies on implementing the privacy provisions of the E-Government Act. An OMB memo on that subject, states that "Agencies are also directed to describe how the government handles information that individuals provide electronically, so that the American public has assurances that personal information is protected." Currently this guidance applies to "all executive branch departments, agencies and their contractors that use information technology or that operate Web sites for purposes of interacting with the public." Corporations collecting information online have to have stated privacy policies, enforced, in theory, by the FTC, but they do not have to do a PIA, per se.
PIAs must analyze and describe the nature and source of what information is to be collected and why; how the information will be used; who it will be shared with; opt-out opportunities or consent to particular uses of the information; how the information will be secured; and whether a system of records is being created under the Privacy Act, 5 U.S.C. 552a.
Other good information to include is:
--Will data also be collected from third party sources?
--Who will have access to the data in the system and what controls are in place to prevent misuse?
--Who is responsible for assuring proper use of the data and for protecting the privacy rights of the customers and employees?
--Will the system derive new data or create previously unavailable data about an individual through aggregation?
--Explain any possibility of identification and/or disparate treatment of individuals or groups.
--If the system is operated at more than one site, how will consistent use of the system and data be maintained at all sites?
--What is the data retention period? What are the procedures for eliminating data at the end of the retention period? Where are the procedures documented? How are they enforced?
The OMB memo can be found at http://www.whitehouse.gov/omb/memoranda/m03-22.html; it provides links to the E-Government Act Section 208 Implementation Guidance, a general outline of regulatory requirements pursuant to the Children's Online Privacy Protection Act; a summary of the modifications to existing guidance resulting from the memo. A complete list of OMB privacy guidance currently in effect is at OMB's Web site. For general information from the FTC on privacy, see http://www.ftc.gov/privacy.
Templates of PIAs can be found at: http://www.sba.gov/foia/pias.html, and a search of Canadian government sites will reveal an extensive assortment of very complete PIA templates -- but remember, they're referencing Canadian laws!
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:firstname.lastname@example.org.
Opinions expressed in this column are those of Shelley Bard and don'tnecessarily reflect those of Verizon FNS.
Last week: Can you go on vacation?