Privacy CIPP/G

Freedom of Information Act, 1966 (FOIA)

- Right for anyone to request access to fed agency records and info - objective: provide transparency of govt - applies only to fed agencies (not congress, courts, state/local agencies) - 1996: applies to records maintained in electronic format in addition to paper

E-Government Act, 2002

- brings PA, 1974 into digital age - Promotes use of electronic services by public - improves use of IT in the govt - includes provisions for privacy and information security - Section 208 contains privacy provisions to "ensure sufficient protections for the privacy of PI as agencies implement citizen-centered electronic Government"

Federal Open Meeting Laws

1) Federal Advisory Committee Act (FACA) 2) Government in Sunshine Act

Exceptions to PIA (OMB M-03-22)

1) National Security Systems 2) Previously assessed systems under an evaluation similar to PIA 3) Internal government operations 4) Systems collecting non-identifiable information 5) Government-run web sites not collecting identifiable information about the public

Requirements of E-Government Act

1) PIA 2) Website Policies of Section 208 Specifically: a) Post privacy polies on websites b) standard machine readable format (P3P) c) report annually to OMB

Differences of SA&A from PIA

1) Security focused vs. information focused 2) Information system focused vs. Information focused 3) Certification report targeted to accreditor vs. Assessment report targeted to general public 4) Periodic recertification vs. Periodic reassessment (no recert req w/o changes) 5) review, testing and interviews for validation vs. review and sign-off for validation 6) ATO-go or no go vs. ATO-can proceed w/o approval 7) Minimize system access and user privileges vs. Minimize information flow

Cookie Policy and TPWA Policy Privacy Requirements Overlap

1) Update privacy policies 2) provide clear notice and choice 3) incorporation into agency policies 4) create new polciies and processes for approval of cookies and/or TPWA sites

M-10-23 Guidance for Agency Use of Third Party Websites and Applications (TPWA) (E-Gov Act 2002)

1) applies to contractors or non-gov entities 2) modifies M-10-03-22, M-99-18 Allows TPWA to facilitate new Open Gov initiative

Exemptions to Records Disclosures under FOIA

1) classified information 2) agency's internal rules/practices 3) exempt by any other statute 4) privileged & confidential trade secrets, 5) priveleged inter/intra agency memos 5) personnel, medical, and similar files 6) law enforcement records 7) financial institution regulatory records 8) geological and geophysical data concerning wells

PIA Publication Requirements (OMB M-03-22)

1) must be made publically available a) unless PIA publication may reveal classified or sensitive information (protected and handled consistent with FOIA) 2) should not include PII in their PIAs

Agency Requirements for SOR (Privacy Act)

1. Collection 2. Notice 3. Record Standards 4. Access and Amendments 5. Maintenance 6. Contractors 7. Reporting 8. Data Integrity Boards 9. Safeguards 10. SSN

What are contents of Web Site Privacy Policy?

1. Consent to collection and sharing 2. Requirements on agencies 3. Rights of individuals 4. Compliance with the Children's Online Privacy Protection Act (COPPA)

What system changes can create new privacy risks and cause PIAs to be performed or updated?

1. Conversions 2. Anonymous to Non-Anonymous 3. Significant system management changes 4. Significant merging 5. New Public access 6. Commercial sources

SORN Requirments (Privacy Act)

1. Name and location 2. Categories of Individuals 3. categories of records 4. each routine use of records 5. policies and practices 6. title, address of responsible official

FIPP Principles

1. Openness 2. Notice 3. Use 4. Correction 5. Accuracy & Security

12 Exceptions to No Disclosure without Consent Rule (Privacy Act)

1. Performance of regular duties of an agency 2. FOIA disclosures 3. Routine uses 4. Census Bureau 5. Statistical research 6. Data held by the National Archives 7. Law enforcement 8. Compelling health/safety circumstances 9. Congressional committee (w/ jurisdiction) 10. GAO duties 11. Court order 12. Consumer reporting agencies

No Disclosure without Consent Rule (Privacy Act)- Most used Exceptions

1. Performance of regular duties of an agency employee 2. Routine uses as specified in the applicable SORN 3. Law Enforcement 5. Court Order

Web Site Privacy Policy Contents (E-Gov 2002)

1. Post links to website privacy policy site at principle site, any known major entry point, any website that collects substantial PII 2. clearly labeled, easily accessed and written in clear language 3. consent requirement: a) inform visitors when info is voluntary,= b) explain how to provide consent for both voluntary/mandated info when info is used for purposes other than mandated by statutes or different from routine uses under PA 5. inform users of nature, purpose, use of sharing of info 6. notify website visitors of their rights under PA 7. notify of applicable laws 8. what info is automatically collected when site is visited (ex. HIIPA) *this made available under privacy policy website-must explain proper admin, operational, and technical controls are in place to protect PI, must state what info is automatically collected when site is visited (ie. IP address, cookies) 9. COPPA compliance

Acceptable uses of TPWA (M-10-23)

1. Publish government information online 2. Improve the quality of government information 3. create and insitutionalize a culture of Open Govt 4. Create an enabling Policy framework for Open Government

Privacy Act, 1974 Policy Objecitves

1. Restrict Disclosure 2. Grant access 3. Grant amendment 4. Establish a code of Fair information practices - Compile only what is relevant/necessary - Provide notice of new systems of records

What are the Tier 1, Tier 2, and Tier 3 reqs for cookies on fed web sites

1. Single-Session: allowed w/o caveat 2. Multiple no PII: must inform user of activity via clear notice 3. Multiple with PII: Requires written OCIO and SAOP approvial; 30-day public comment window; Explicitly opt-in - user must acknowledge and approve cookie's use

Use of TPWA: General Requirements (M-10-23)

1. Third-party privacy policies: review, monitor, and periodically reassess risks 2. External links: provide alert to visitor that they are being directed to a TPWA 3. Embedded applications: disclose Third-party involvement, and describe agency activities and privacy policies 4. Agency Branding: distinguish agency activities from non-governmental actors (ie. Seal, Emblem on profile page) 5. Information collection: agency should collect only info minimum, necessary for proper performance of agency functions with practical utility

PIA Requirements (OMB M-03-22, E-Gov Act 2002)

1. What info is collected 2. Why info is collect 3. Intended Use 4. With Whom Info is Shared 5. Opportunities individuals have to decline info (voluntary, consent to particular uses, how individuals consent) 6. How info will be secured (admin,tech controls) 7. Whether SOR is being created 8. Analysis of choices agency made regarding IT collection system 9. Information lifecycle analysis

Computer Matching Act, 1988

1. Written agreement bw agencies has purpose, justification, legal authority and description of records to match 2. notice: of matching program at time of creation 3. disclose: agency cannot disclose records if it believes matching agreement is not being followed by recipient 4. reports on matching programs to OMB annually

Civil Remedies

1. agency refused to amend individual record upon request, or refused to provide individual access to his records, individual can sue in court 2. court can award individual attorney fees 3. actual damages suffered by individual, no less than $1000, plus costs and reasonable attorney fees

Laws Compelling Disclosure

1970- Bank Secretary Act 1978- Foreign Intelligence Surveillance Act (FISA) Protect America Act 1978: Right to Financial Privacy Act 2001: USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) 2005: Real ID Act

OMB M-10-22: New Cookie Policy (E-Gov Act 2002)

CAN: use cookies to improve federal services online CANNOT use measurement and web-enabled technologies for: 1. track user activity outside website or app 2. share data w/o consent 3. cross-reference data w/o user consent against PII to determine individual online activity without user's consent 4. collect PII w/o user's explicit consent in any fashion 5. use data for any like usages designated by OMB

Computer Matching &Privacy Protection Act, 1988

Contains provisions that require agencies that match data among agency ystems granting financial benefits to publicly disclose that matching and explain its scope

Computer Matching Example

Date: May 2008 Organizations: HUD, VA Notice: VA provides HUD with data on individuals who have defaulted on their VA-gauranteed home loans Data: SSN, EIN, case number, Fed Agency identifying code, record type

PIAs v SORNS

E-gov 2002 act requires PIAs Privacy Act Requires SORNs

Federal Advisory Committee Act (FACA)

Ensures advice rendered to exec branch is objective and accessible to public

What Act excludes requests involving access to records compiled for law enforcement purposes?

FOIA

FIPP

Fair Information Practice Principles

1. refusal to amend record 2. refusal request for access to record 3. fails to comply with data safeguards in or any other rights established under PA

For what reasons can an individual file a lawsuit under the Privacy Act?

OMB M-10-06 Open Government Directive

Government shall be Transparent, Participatory, Collaborative a) publish govt info online b) improve quality of govt info c) create & institutionalize culture of open gov d) create enabling policy framework for open govt

OMB M-03-22

Implementation details of E-Government Act, 2002 **adds to: 1) OMB-M-99-05 Privacy Responsibilities 2) OMB-M-99-18: Privacy Policies on Federal Websites 3) OMB-M-00-13 Privacy Policies and Data Collection on Federal Websites

What are some ways that a PIA and a SA&A are different?

Information system focused, ATO-need approval, need to get recertified, certification report targeted to accreditor, minimize system access and user privileges

OMB M-10-22 Guidance for Online Use of Web Measurement & Customization Technologies (E-Gov Act 2002)

Main Provision 1. applies to all Fed agencies 2. rescinds previous guidelines (M-03-13, 2 provisions M-03-22) 3. lists appropriate use and prohibitions 4. allows easy opt-out for public a) comply with existing policies for privacy and s b) provide public with alternatives c) limit retention/access d) perform annual compliance reviews - if needed, cite PIA and/or SORN on privacy policy - does not apply to activities that do not involve to activities that do not involve public, law enforcement, national security, or intelligence

Adapted PIA

OMB M-10-23 Requirement to conduct a PIA on TPWA site(s)

Correction Use Security

Overlap between OECD, APEC and FIPP Privacy Principles

Health Insurance Portability and Accountability Act (HIPAA), 1996

PHI (past/present/future physical/mental condition), healthcare providers, health plans, clearing houses covered directly, business providers indirectly, Center for Medicare/Medicaid Services (CMS), cant disclosed PHI unless permitted by law, enforced by DHHS and State Attorney General, does not preempt strong state laws

Civil Remedies and Criminal Penalties

Privacy Act Enforcement

Use Confidentiality Access

Regarding personal information, in what ways do privacy and information security overlap?

SBU

Sensitive But Unclassified

OMB-M-10-22 New Cookie Policy (E-Gov Act 2002)

Single Session-Tier 1: allowed without caveat Persistent-Tier 2: multi-session technology w/o PII, must inform user of activity via clear notice Persistent-Tier 3: multi-session technology with PII, requires written OCIO and SAOP approval, a) 30-day public comment window b) Explicitly opt-in: user must acknowledge and approve cookie's use

Why was E-gov act created

To ensure sufficient protections for the privacy of personal information as agencies implement citizen-centered electronic government

What are the acceptable uses that TWPA facilitates?

To facilitate the Open Govt Intitiative:________ are allowed to 1) publish govt information online 2) Improve the quality of govt information 3) create and institutionalize a culture of Open Government; 4) Create an enabling policy framework for Open Government

1) Privacy Act, 1974 2) E-Government Act, 2002

Two Key U.S. Privacy Laws

1. Name/location 2. Categories of individuals whose records are maintained 3. Categories of records maintained 4. Each routine use of records, including categories of users and the purpose of such use 5. Policies and practices regarding storage, retrievability, access controls, retention and disposal of the records 6. Title and address of official responsible for SOR

What are required elements of a SORN?

1) Leadership 2) Privacy Risk Management & Compliance documentation 3) Information Security 4) Incident Response 5) Notice & Redress for Individuals 6) Privacy Training & Awareness 7) Accountability

What elements must be included in a federal privacy program

a group of any record under the control of any agency from which information is retrieved by name of individual or some identifying number, symbol or other identifying particular assigned to individual (ie. voice or finger print, picture)

What is a SOR?

use of a record that is compatible with the purpose for which it was collected

What is routine use?

M-07-16

What is the OMB Memorandum number that contains the currently used definition of PII?

To allow agencies to not require individual's consent to use/disclose PII

What is the purpose of the 12 exceptions tot he Privacy Act of 1974?

Names, SSN, DOBs, Employer ID numbers, E-mails, Phone numbers, residential or business addresses, driver's license numbers, bank account information, clinical notes, laboratory tests, prescriptions, health insurance providers

When federal, state, or local agency data breaches occur, what types of PII may be comprised?

in response to concern of govt's misuse of citizen data in computerized databases. focus is to restrict how agencies collect, maintain, use and disclose PII

Why was the Privacy Act of 1974 created?

No, because the information exchange does not result in financial benefit

Would the Computer Matching Act apply if the DHS and DOD exchanged information about a potential terrorist attack? Why?

System Changes creating new Privacy Risks (updates to PIA) (OMB M-03-22, E-Gov Act 2002)

a) Conversions b) Anonymous to non-anonymous c) significant system management changes d) significant system management changes e) significant merging f) New Public Access g) Commercial Sources h) New Interagency Uses i) Internal flow or collection j) alteration in data character)

Government in Sunshine Act

a) Ensures collegial bodies within fed agencies do not have meeting and make decisions in secret b) prescribes procedures agency must follow to claim exemption from open meeting

What are the required components of a PIA?

a) What info b) Why c) Use d) With whom shared e) opportunities to decline to provide/consent to particular uses f) how info is secured g) whether a SOR is being created under PA h) analysis of choices agency made regarding an IT system or collection of information i) information lifecycle analysis

Agency

any exec dept, military dept, govt corp, govt controlled corp, or other establishment in exec branch of fed govt (ie. exec office, regulatory agency)

record

any item, collection or grouping of information that is maintained by an agency about an individual that contains his name, identifying number, symbol or other identifying particular assigned to the individual (ie, finger or voice print, photograph)

IIF (Information in Identifiable Form

any representation of information that permits the identity of an individual to be reasonably inferred by direct or indirect means

Why is PIA helpful?

assesses actual or potential impacts-including social or ethical- that a system may have on privacy and the ways in which any adverse impacts may be mitigated

PIA (Privacy Impact Assessment) (OMB M-03-22) (Section 208, E-Gov Act 2002)

assessment of actual or potential social and ethical impact of a system on privacy and a way in which any adverse effects may be mitigated required by agencies before developing or procuring IT systems that collect, maintain or disseminate information in IIF

Individual

citizen of US, or alien lawfully admitted for permanent residence

System of Records Notice (SORN)

description of system of records an agency maintains published in Federal Register

Data Quality Act of 2002

directs OMB to issue policy/procedural guidelines to agencies to ensure quality, objectivity, utility, and integrity of disseminated information Agencies: 1) issue own quality guidelines 2) establish mechanisms allowing individuals to have errors corrected 3) report numbe/nature of complaints received and how handled to OMB annually

GLBA (1999) or Financial Services Modernization Act

domestic financial institutions, non-public personal financial info, enforced by FTC and financial institution regulators, many federal agencies provide services that public may pay for through financial institutions

Controlled Unclassified Information (CUI), 2011

establishes a unified method to categorize unclassified info and ensure handling procedures when agencies share info 1) identify all SBU markings 2) identify authority for markings 3) Review markings for redundancy 4) Define all cat/subcats/markings to continue NARA (National Archives Records Association) has CUI registry for categories/subcats/markings

Exemptions to Specific Provisions

exist to not tip off individuals under investigation: SOR maintained by 1. CIA 2. Agencies that perform activities to enforce criminal laws

system of records (SOR)

group of any records under control of any agency from which information is retrieved by: 1) name of individual 2) or some identifying number (ie. SSN), symbol (ie. seal), or other identifying particular assigned to individual

OMB M-03-22: Privacy Policies on Agency Websites (E-Gov, 2002)

implementing privacy provisions on E-Gov 2002 In addition to complying with M-03-99-18 a) Content of Privacy Policies 1. Consent to collection and sharing (voluntary, grant consent for use of voluntary/mandated info) 2. Rights under the Privacy Act or other privacy laws that primarily apply to specific agencies (HIIPA, IRS Restructuring and Reform Act, Family Education Rights and Privacy Act) b) Placement of Notices c) Clarity of Notices

Privacy

individual's ability to control use, collection, and dissemination of personal information

Criminal penalites

knowingly and willfully discloses PII, maintains a SOR without disclosing its existence, 1. misdemeanor 2.fined maximum of $5000

COPPA (1998)

online collection of PII of children under age of 13, rules clarify when/how a website operator must seek consent from parents

What is the purpose of FISMA?

provides framework for ensuring the effectiveness of Information security controls

FISMA (Federal Information Security Management Act)

provides framework for securing information security controls, 1. Information security program implementation 2. federal program monitoring .3. agency head, CIO , etc. responsibilities 4. Incident response and awareness training requriements 5. annual reports to Congress 6. requirements for a performance program

OMB M-99-18: Guidance and Model Language for Federal Website Privacy Policies (E-Gov Act, 2002)

provides guidance on these situations: 1. intro language 2. info collected/stored automatically 3. info collected from emails and web forms 4. security, intrusion, and detection language 5. significant actions where information may be subject to the Privacy Act

Paperwork Reduction Act (PRA)

reduces the burden of providing info, ensures the quality of info, requires the use of PA statements Reqs: 1) calculation of time required by agency and responded (#hrs&#respondents) 2) 60 day notice to public 3) gaining approval from OMB (3 year limit)

Health Information Technology for Economic and Clinical Health Act (HITECH), 2009

related to HIPAA, categories of violations based on culpability tied to tiered ranges of civil monetary penalties, clarifies restrictions on disclosures and sales of health info

Adapted PIA (M-10-23)

required when TPWA make PII available to agency 1) specific purpose of agency's use of TPWA 2) any PII likely to become available to agency through public use of TPWA 3) agency's intended use of PII 4) with whom agency will share PII 5) whether and how agency will maintain PII 6) how agency will secure PII 7) Privacy risks and mitigation strategy 8) whether agency's activities will create or modify a SOR

Red Flags (2003) under Fair and Accurate Credit Transaction Act

requires covered businesses/organziations to implement a written Identity Theft program, use a Identity theft indicators, businesses can take precautions to prevent ID theft, applies to govt agencies and non-profit orgs that perform functions that meet the def of a financial institution (ex. local govts operating utilities that bill customers for their services)

Confidential Information Protection and Statistical Efficience Act (CIPSEA), 2002 Title V, E-Gov Act 2002

requires statistical agencies to: a) protect information collected for statistical purposes from improper disclousre b) ensure collected information is not used for non-statistical purposes

SA&A (Security Assessment & Authorization)

similar to PIA in that it is a 1. Risk-based analysis 2. Identifies potential risks and mitigation measures 3. Living entity; updated when system or environment changes

OMB Social Media Web-based Interactive Technologies, and the PRA

specifies collections not subject to PRA - collection must not use sctructured request/response format

Family Educational Rights and Privacy Act (FERPA), 1974

student educational records, academic institutions receiving funds, gives parents rights to students records until 18 or post highschool

Office of Management and Budget (Privacy Act)

supervise agency agency implementation of Privacy Act provisions Director- 1. develop/prescribe guidelines/regulation (directive) to agencies, 2. assistance/oversight of implentation of Privacy by agencies 3. renew new and altered system of records and matching program reports *Additional legal guidance DOJ Office of Privacy and Civil Liberties- legally analyze and refer to court decisions regarding certain provisions of Privacy Act

routine use

use of a record for a purpose which is compatible with the purpose for which the record was created in the first place

(P3P)Platform for Privacy Preferences

way to translate into machine readable format - company's privacy policy is transformed so browser decodes and figures out what policy says - designed to provide users with clear understanding of how a website will use PI - website operators will be able to use p3p language to explain their privacy practices to users - users will be able to configure their software to provide notifications of whether a website will comply with their privacy preferences

TPWA (Third Party Websites or Applications) (M-10-23)

web-based technologies that are not exclusively operated or controlled by a government entity, such as non-gov hosted applications (ex. Twitter) and application that can be embedded on a gov webpage (ex. YouTube Videos

significant merging

when agencies adopt/alter business process so that govt databases holding PII are merged/centralized/matched with other databases/manipulated

commercial sources

when agencies systematically incorporate into existing systems databases of PII contained from commercial or public sources

new interagency uses

when agencies work together on shared functions involving significant new uses or exchanges of PII

internal flow or collection

when alteration of a business process results in significant new disclosures or uses of information or incorporation into a system of additional items of PII

Conversions

when converting paperbased records electornic systems

Anonymous to Non-anonymous

when functions apply to an existing information collection change anonymous information to information in identifiable form

Alteration in data character

when new PII is added to a system and that raises the risk of PI

Significant System Management Changes

when new uses of an existing IT system significantly change how PII is managed in the system

new public access

when user authenticating technology is newly applied to a system accessed by the public