Skip Navigation
United States

Transparency of Privacy Programs and Practices (US0069)

Overview

At-a-Glance

Action Plan: United States Action Plan 2015-2017

Action Plan Cycle: 2015

Status: Inactive

Institutions

Lead Institution: The Administration, led by the Office of Management and Budget

Support Institution(s): NA

Policy Areas

Capacity Building, Civic Space, Defending Journalists and Activists

IRM Review

IRM Report: United States End-of-Term IRM Report 2015-2017, United States Mid-Term Report 2015-2017

Starred: No

Early Results: Did Not Change

Design i

Verifiable: No

Relevant to OGP Values: Not Relevant

Potential Impact:

Implementation i

Completion:

Description

Federal information must be protected, and the protection of privacy is of utmost importance. The Administration, led by the Office of Management and Budget, will revise certain guidance on Federal agencies’ responsibilities for protecting personally identifiable information. The revised guidance will include principles that agencies should use to promote fair information practices, such as transparency and accountability. The guidance will also emphasize the importance of using privacy impact assessments to analyze how agencies handle personally identifiable information and ensure that agency processes conform to all applicable privacy requirements. In addition, revised guidance will direct agencies to take a coordinated approach to information security and privacy, including requiring agencies to develop and maintain a continuous monitoring strategy to ensure that privacy and security controls are functioning properly.

IRM Midterm Status Summary

IRM End of Term Status Summary

Commitment 17. Improve Transparency of Privacy Programs and Practices

Commitment Text:

Improve Transparency of Privacy Programs and Practices

Federal information must be protected, and the protection of privacy is of utmost importance. The Administration, led by the Office of Management and Budget, will revise certain guidance on Federal agencies’ responsibilities for protecting personally identifiable information. The revised guidance will include principles that agencies should use to promote fair information practices, such as transparency and accountability. The guidance will also emphasize the importance of using privacy impact assessments to analyze how agencies handle personally identifiable information and ensure that agency processes conform to all applicable privacy requirements. In addition, revised guidance will direct agencies to take a coordinated approach to information security and privacy, including requiring agencies to develop and maintain a continuous monitoring strategy to ensure that privacy and security controls are functioning properly.

Responsible institution: Office of Management and Budget

Supporting institutions: Agencies covered by the Chief Financial Officers Act of 1990

Start Date: Not Specified End Date: Not Specified

Commitment Aim

This commitment evolved partly as a result of a 2015 hack of government personnel records that compromised more than 20 million people.[1] The commitment aimed to issue revised guidance on federal agencies’ handling of personally identifiable information (PII).[2] The government expected the guidance to promote fair information practices and emphasize the importance of using privacy impact assessments to analyze agencies’ handling of PII. The guidance also advised agencies to adopt a coordinated approach to privacy and information security, including the development of a continuous monitoring strategy.

Status

Midterm: Substantial

At the midterm, the government had made substantial progress on this commitment. The Office of Management and Budget posted draft privacy guidance for public comment in October 2015. The guidance received 67 comments.[3]

End of term: Complete

At the end of term, this commitment was complete. The Office of Management and Budget published a final revised guidance (Circular A-130) on 27 July 2016.[4] Prior to its issuance, the circular was last updated in November 2000.[5]

Regarding privacy concerns, Appendix I of Circular A-130 describes agencies’ “Responsibilities for Management of Personally Identifiable Information [PII].” There, PII refers to information that can be used to identify specific individuals.[6] The appendix applies to both paper and electronic PII. As described in the appendix, specific responsibilities include determining which privacy controls and safeguards are relevant for a particular information system. Agencies should also assess the PII’s sensitivity levels and the “potential risk to individual privacy from the collection, creation, use, dissemination, and maintenance of that PII.” Regarding continuous monitoring, the appendix further notes that agencies must “begin to consider the effect on individual privacy during the earliest planning and development stages of any actions and policies.” They also “must continue to account for privacy implications during each stage of the life cycle of PII.”

Appendix I, Section 6 focuses on agencies’ adoption of fair information practice principles (FIPPs) in the area of privacy and information security. FIPPs are described as principles that agencies should use when evaluating information systems and related processes and programs that are relevant for PII. Particularly relevant for this commitment, the FIPPs’ core principles advise “Agencies should provide individuals with appropriate access to PII and appropriate opportunity to correct or amend PII.” FIPPs also state that agencies “should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the creation, collection, use, processing, storage, maintenance, dissemination, or disclosure of PII.”[7] Per Section 3 of the same appendix, agencies must also designate a senior agency official for privacy to be responsible for ensuring that privacy requirements are met and risks managed.[8]

Regarding privacy and information security, Circular A-130 notes that agencies shall “establish and maintain a comprehensive privacy program that ensures compliance with applicable privacy requirements, develops and evaluates privacy policy, and manages privacy risks.”[9] In line with the commitment, the circular further notes that agencies shall “conduct privacy impact assessments when developing, procuring, or using IT, . . . and make the privacy impact assessments available to the public in accordance with OMB policy.” The circular also instructs agencies to “maintain and post privacy policies on all agency websites, mobile applications, and other digital services.”[10]

While the activities described in the commitment text are complete, the circular itself contains no implementation time frame. At the end of term, using publicly available information, the IRM researcher was unable to verify the circular’s implementation status across federal agencies.

Did It Open Government?

Access to Information: Did Not Change

Although the commitment as written was not relevant to the OGP values of open government, Circular A-130’s privacy elements are indeed relevant for the OGP value of access to information. This is true especially for those elements described in Appendix 1 and those related to the FIPPs in Appendix 1, Section 6. This relevance stems from their stated aim of giving individuals access to their own personal identifiable information and giving them the ability to correct and amend it.

The circular nevertheless does not specify the means through which individuals may do so, nor the processes and timelines that agencies will employ and abide by in response to such requests. These issues are further compounded by the circular’s unclear implementation status. Comments from the Electronic Privacy Information Center corroborate this assessment regarding privacy impact assessments. The center noted that “federal agencies continue to fail to create and publish Privacy Impact Assessments (“PIA”) and other privacy and civil liberties assessments required by law.”[11]

While the activities carried out under the commitment represent an important first step, the commitment has not yet resulted in greater or higher-quality information available to the public.

Carried Forward?

At the time of writing, the US government had not yet published its fourth national action plan. Nonetheless, this commitment as written is complete and should not be carried forward. In the future, it will be important for government agencies to follow through with the implementation of the new circular.


[1] Ellen Nakashima, “Hacks of OPM Databases Compromised 22.1 Million People, Federal Authorities Say,” Washington Post, 9 July 2015, http://wapo.st/2qg9rxl.

[2] For an overview of PII, see US General Services Administration, “Rules and Policies - Protecting PII - Privacy Act,” https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-act, last Updated 13 August 2017, consulted 4 October 2017.

[3] “Circular A-130: Archived Commenting Website,” Office of Management and Budget, https://a130.cio.gov/, consulted 12 September 2011.

[4] Tony Scott, “Managing Federal Information as a Strategic Resource,” The White House blog, 27 July 2016, https://obamawhitehouse.archives.gov/blog/2016/07/26/managing-federal-information-strategic-resource, consulted 11 September 2012. The circular itself is available at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf, consulted 12 September 2011.

[5] “Circular No. A-130 Revised Transmittal Memorandum No. 4 (28 November 2000),” The White House, 28 November 2000, https://obamawhitehouse.archives.gov/omb/circulars_a130_a130trans4, consulted 12 September 2011.

[6] Ibid., Appendix II-1.

[7] Ibid., Appendix II-2, II-3.

[8] Ibid., Appendix II-3.

[10] Ibid., 17.

[11] Written comments provided to the IRM researcher, 30 October 2017. The commenter wished to remain anonymous.


United States's Commitments

  1. Federal Data Strategy

    US0105, 2019, E-Government

  2. Grants Accountability

    US0106, 2019, E-Government

  3. Public Access to Federally Funded Research

    US0107, 2019, E-Government

  4. Workforce Data Standards

    US0108, 2019, E-Government

  5. Chief Data Officers

    US0109, 2019, Capacity Building

  6. Open Data for Public Health

    US0110, 2019, E-Government

  7. Enterprise Objective

    US0111, 2019, Capacity Building

  8. Developing Future Action Plans

    US0112, 2019, OGP

  9. Reconstitution of the USA.gov

    US0053, 2015, E-Government

  10. Accessibility of Government Information Online

    US0054, 2015, Marginalized Communities

  11. Access to Educational Resources

    US0055, 2015, Open Data

  12. Public Listing of Every Address in the US

    US0056, 2015, Open Data

  13. Informed Decisions About Higher Education.

    US0057, 2015, Open Data

  14. New Authentication Tools to Protect Individual Privacy and Ensure That Personal Records Go Only to the Intended Recipients.

    US0058, 2015, Public Service Delivery

  15. Transparency of Open311

    US0059, 2015, E-Government

  16. Support Medicine Research Throught Opening up Relevant Data of the Field

    US0060, 2015, Health

  17. Access to Workforce Data

    US0061, 2015, Open Data

  18. Using Evidence and Concrete Data to Improve Public Service Delivery

    US0062, 2015, Capacity Building

  19. Expand Use of the Federal Infrastructure Permitting Dashboard

    US0063, 2015,

  20. Consolidation of Import and Export Systems

    US0064, 2015, E-Government

  21. Improving Government Records

    US0065, 2015, Open Data

  22. Starred commitment Ammendments to FOIA

    US0066, 2015, Open Data

  23. Streamline the Declassification Process

    US0067, 2015, Capacity Building

  24. Implement the Controlled Unclassified Information Program

    US0068, 2015, Open Data

  25. Transparency of Privacy Programs and Practices

    US0069, 2015, Capacity Building

  26. Transparency of Federal Use of Investigative Technologies

    US0070, 2015, E-Government

  27. Increase Transparency of the Intelligence Community

    US0071, 2015, Capacity Building

  28. Open Science Through Open Data

    US0072, 2015, Open Data

  29. Open Data Portal

    US0073, 2015, E-Government

  30. Increase Transparency of Trade Policy and Negotiations

    US0074, 2015, E-Government

  31. Develop a Machine Readable Government Organizational Chart

    US0075, 2015, E-Government

  32. Improving Public Participation

    US0076, 2015, Public Participation

  33. Expand Public Participation in the Development of Regulations

    US0077, 2015, Public Participation

  34. Civic Engagement in Decision-Making Processes

    US0078, 2015, Public Participation

  35. Open Mapping

    US0079, 2015, E-Government

  36. Tracking OGP Implementation

    US0080, 2015, OGP

  37. Strengthening Whistleblower Protection

    US0081, 2015, Capacity Building

  38. Transparency of Legal Entities

    US0082, 2015, Beneficial Ownership

  39. Extractive Industries Transparency

    US0083, 2015, Extractive Industries

  40. Spending Transparency

    US0084, 2015, E-Government

  41. Enhance the Use of U.S. Foreign Assistance Information

    US0085, 2015, Aid

  42. Participatory Budgets and Responsive Spending

    US0086, 2015, Participation in Budget Processes

  43. Expand Access to Justice to Promote Federal Programs

    US0087, 2015, E-Government

  44. Build Safer Communities with Police Open Data

    US0088, 2015, E-Government

  45. Open Federal Data to Benefit Local Communities

    US0089, 2015, E-Government

  46. Support the Municipal Data Network

    US0090, 2015, E-Government

  47. Foster Data Ecosystems

    US0091, 2015, Capacity Building

  48. Extend Digital, Data-Driven Government to Federal Government’S Support for Communities

    US0092, 2015, Capacity Building

  49. Promote Implementation of SDGs

    US0093, 2015, Open Data

  50. Starred commitment Promote Open Climate Data

    US0094, 2015, E-Government

  51. Air Quality Data Available

    US0095, 2015, E-Government

  52. Promote Food Security and Data Sharing for Agriculture and Nutrition

    US0096, 2015, Capacity Building

  53. Promote Data Sharing About Global Preparedness for Epidemic Threats

    US0097, 2015, Capacity Building

  54. Promote Global Interconnectivity

    US0098, 2015, Aid

  55. Open Contracting

    US0099, 2015, Capacity Building

  56. Harness the Data Revolution for Sustainable Development

    US0100, 2015, OGP

  57. Open Government to Support Global Sustainable Development

    US0101, 2015, Anti-Corruption Institutions

  58. Open Collaboration Onf the Arctic

    US0102, 2015, Environment and Climate

  59. Support Capacity Building for Extractives Transparency

    US0103, 2015, Capacity Building

  60. Support Responsible Investment and Business Practices for Companies

    US0104, 2015, Private Sector

  61. Improve Public Participation in Government

    US0027, 2013, Capacity Building

  62. Modernize Management of Government Records

    US0028, 2013, Records Management

  63. Modernize the Freedom of Information Act

    US0029, 2013, Capacity Building

  64. Transform the Security Classification System

    US0030, 2013, Records Management

  65. Implement the Controlled Unclassified Information Program

    US0031, 2013, Security

  66. Increase Transparency of Foreign Intelligence Surveillance Activities

    US0032, 2013, E-Government

  67. Make Privacy Compliance Information More Accessible

    US0033, 2013, E-Government

  68. Support and Improve Agency Implementation of Open Government Plans

    US0034, 2013, OGP

  69. Strengthen and Expand Whistleblower Protections for Government Personnel

    US0035, 2013, Capacity Building

  70. Increase Transparency of Legal Entities Formed in the United States

    US0036, 2013, Legislation & Regulation

  71. Starred commitment Implement the Extractive Industries Transparency Initiative

    US0037, 2013, Environment and Climate

  72. Make Fossil Fuel Subsidies More Transparent

    US0038, 2013, Extractive Industries

  73. Starred commitment Increase Transparency in Spending

    US0039, 2013, Fiscal Transparency

  74. Increase Transparency of Foreign Assistance

    US0040, 2013, Aid

  75. Continue to Improve Performance.Gov

    US0041, 2013, E-Government

  76. Consolidate Import and Export Systems to Curb Corruption

    US0042, 2013, Private Sector

  77. Promote Public Participation in Community Spending Decisions

    US0043, 2013, Infrastructure & Transport

  78. Expand Visa Sanctions to Combat Corruption

    US0044, 2013, Anti-Corruption Institutions

  79. Further Expand Public Participation in the Development of Regulations

    US0045, 2013, Capacity Building

  80. Open Data to the Public

    US0046, 2013, E-Government

  81. Continue to Pilot Expert Networking Platforms

    US0047, 2013, Public Participation

  82. Reform Government Websites

    US0048, 2013, E-Government

  83. Promote Innovation Through Collaboration and Harness the Ingenuity of the American Public

    US0049, 2013, Capacity Building

  84. Promote Open Education to Increase Awareness and Engagement

    US0050, 2013, E-Government

  85. Deliver Government Services More Effectively Through Information Technology

    US0051, 2013, E-Government

  86. Increase Transparency in Spending

    US0052, 2013, E-Government

  87. Reform Records Management

    US0001, 2011, Records Management

  88. Lead a Multi-Agency Effort

    US0002, 2011, Capacity Building

  89. Monitor Agency Implementation of Plans

    US0003, 2011, OGP

  90. Provide Enforcement and Compliance Data Online

    US0004, 2011, Environment and Climate

  91. Advocate for Legislation Requiring Meaningful Disclosure

    US0005, 2011, Legislation & Regulation

  92. Apply Lessons from Recovery Act to Increate Spending Transparency

    US0006, 2011, Fiscal Transparency

  93. Government-Wide Reporting Requirements for Foreign Aid

    US0007, 2011, Aid

  94. Use Performanc.Gov to Improve Government Performance and Accountability

    US0008, 2011, Public Service Delivery

  95. Overhaul the Public Participation Interface on Regulations.Gov

    US0009, 2011, Legislation & Regulation

  96. Launch Expertnet

    US0010, 2011, E-Government

  97. Launch International Space Apps Competition

    US0011, 2011, E-Government

  98. Launch “We the People”

    US0012, 2011,

  99. Open Source “We the People”

    US0013, 2011,

  100. Develop Best Practices and Metrics for Public Participation

    US0014, 2011, Capacity Building

  101. Professionalize the FOIA Administration

    US0015, 2011, Right to Information

  102. Harness the Power of Technology

    US0016, 2011, Right to Information

  103. Advocate for Legislation on Whistleblower Protection

    US0017, 2011, E-Government

  104. Explore Executive Authority to Protect Whistleblowers

    US0018, 2011, Legislation & Regulation

  105. Implement the EITI

    US0019, 2011, Extractive Industries

  106. Partnership to Build on Recent Progress

    US0020, 2011, Extractive Industries

  107. Promote Data.Gov to Spur Innovation Through Open Sourcing

    US0021, 2011, Open Data

  108. Data.Gov: Foster Communities on Data.Gov

    US0022, 2011, Education

  109. Begin Online National Dialogue with the American Public

    US0023, 2011, Public Participation

  110. Update Government-Wide Policies for Websites

    US0024, 2011,

  111. Promote Smart Disclosure to Ensure Timely Release of Information

    US0025, 2011, Capacity Building

  112. Publish Guidelines on Scientific Data

    US0026, 2011, Capacity Building