Transparency of Privacy Programs and Practices (US0069)

Federal information must be protected, and the protection of privacy is of utmost importance. The Administration, led by the Office of Management and Budget, will revise certain guidance on Federal agencies’ responsibilities for protecting personally identifiable information. The revised guidance will include principles that agencies should use to promote fair information practices, such as transparency and accountability. The guidance will also emphasize the importance of using privacy impact assessments to analyze how agencies handle personally identifiable information and ensure that agency processes conform to all applicable privacy requirements. In addition, revised guidance will direct agencies to take a coordinated approach to information security and privacy, including requiring agencies to develop and maintain a continuous monitoring strategy to ensure that privacy and security controls are functioning properly.

For details of these commitments, see the report: https://www.opengovpartnership.org/documents/united-states-mid-term-report-2015-2017/

Commitment 17. Improve Transparency of Privacy Programs and Practices

Commitment Text:

Improve Transparency of Privacy Programs and Practices

Federal information must be protected, and the protection of privacy is of utmost importance. The Administration, led by the Office of Management and Budget, will revise certain guidance on Federal agencies’ responsibilities for protecting personally identifiable information. The revised guidance will include principles that agencies should use to promote fair information practices, such as transparency and accountability. The guidance will also emphasize the importance of using privacy impact assessments to analyze how agencies handle personally identifiable information and ensure that agency processes conform to all applicable privacy requirements. In addition, revised guidance will direct agencies to take a coordinated approach to information security and privacy, including requiring agencies to develop and maintain a continuous monitoring strategy to ensure that privacy and security controls are functioning properly.

Responsible institution: Office of Management and Budget

Supporting institutions: Agencies covered by the Chief Financial Officers Act of 1990

Start Date: Not Specified ....... End Date: Not Specified

Commitment Aim

This commitment evolved partly as a result of a 2015 hack of government personnel records that compromised more than 20 million people. [225] The commitment aimed to issue revised guidance on federal agencies’ handling of personally identifiable information (PII). [226] The government expected the guidance to promote fair information practices and emphasize the importance of using privacy impact assessments to analyze agencies’ handling of PII. The guidance also advised agencies to adopt a coordinated approach to privacy and information security, including the development of a continuous monitoring strategy.

Status

Midterm: Substantial

At the midterm, the government had made substantial progress on this commitment. The Office of Management and Budget posted draft privacy guidance for public comment in October 2015. The guidance received 67 comments. [227]

End of term: Complete

At the end of term, this commitment was complete. The Office of Management and Budget published a final revised guidance (Circular A-130) on 27 July 2016. [228] Prior to its issuance, the circular was last updated in November 2000. [229]

Regarding privacy concerns, Appendix I of Circular A-130 describes agencies’ “Responsibilities for Management of Personally Identifiable Information [PII].” There, PII refers to information that can be used to identify specific individuals. [230] The appendix applies to both paper and electronic PII. As described in the appendix, specific responsibilities include determining which privacy controls and safeguards are relevant for a particular information system. Agencies should also assess the PII’s sensitivity levels and the “potential risk to individual privacy from the collection, creation, use, dissemination, and maintenance of that PII.” Regarding continuous monitoring, the appendix further notes that agencies must “begin to consider the effect on individual privacy during the earliest planning and development stages of any actions and policies.” They also “must continue to account for privacy implications during each stage of the life cycle of PII.”

Appendix I, Section 6 focuses on agencies’ adoption of fair information practice principles (FIPPs) in the area of privacy and information security. FIPPs are described as principles that agencies should use when evaluating information systems and related processes and programs that are relevant for PII. Particularly relevant for this commitment, the FIPPs’ core principles advise “Agencies should provide individuals with appropriate access to PII and appropriate opportunity to correct or amend PII.” FIPPs also state that agencies “should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the creation, collection, use, processing, storage, maintenance, dissemination, or disclosure of PII.” [231] Per Section 3 of the same appendix, agencies must also designate a senior agency official for privacy to be responsible for ensuring that privacy requirements are met and risks managed. [232]

Regarding privacy and information security, Circular A-130 notes that agencies shall “establish and maintain a comprehensive privacy program that ensures compliance with applicable privacy requirements, develops and evaluates privacy policy, and manages privacy risks.” [233] In line with the commitment, the circular further notes that agencies shall “conduct privacy impact assessments when developing, procuring, or using IT, . . . and make the privacy impact assessments available to the public in accordance with OMB policy.” The circular also instructs agencies to “maintain and post privacy policies on all agency websites, mobile applications, and other digital services.” [234]

While the activities described in the commitment text are complete, the circular itself contains no implementation time frame. At the end of term, using publicly available information, the IRM researcher was unable to verify the circular’s implementation status across federal agencies.

Did It Open Government?

Access to Information: Did Not Change

Although the commitment as written was not relevant to the OGP values of open government, Circular A-130’s privacy elements are indeed relevant for the OGP value of access to information. This is true especially for those elements described in Appendix 1 and those related to the FIPPs in Appendix 1, Section 6. This relevance stems from their stated aim of giving individuals access to their own personal identifiable information and giving them the ability to correct and amend it.

The circular nevertheless does not specify the means through which individuals may do so, nor the processes and timelines that agencies will employ and abide by in response to such requests. These issues are further compounded by the circular’s unclear implementation status. Comments from the Electronic Privacy Information Center corroborate this assessment regarding privacy impact assessments. The center noted that “federal agencies continue to fail to create and publish Privacy Impact Assessments (“PIA”) and other privacy and civil liberties assessments required by law.” [235]

While the activities carried out under the commitment represent an important first step, the commitment has not yet resulted in greater or higher-quality information available to the public.

Carried Forward?

At the time of writing, the US government had not yet published its fourth national action plan. Nonetheless, this commitment as written is complete and should not be carried forward. In the future, it will be important for government agencies to follow through with the implementation of the new circular.

[225] Ellen Nakashima, “Hacks of OPM Databases Compromised 22.1 Million People, Federal Authorities Say,” Washington Post, 9 July 2015, http://wapo.st/2qg9rxl.

[226] For an overview of PII, see US General Services Administration, “Rules and Policies - Protecting PII - Privacy Act,” https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-act, last Updated 13 August 2017, consulted 4 October 2017.

[227] “Circular A-130: Archived Commenting Website,” Office of Management and Budget, https://a130.cio.gov/, consulted 12 September 2011.

[228] Tony Scott, “Managing Federal Information as a Strategic Resource,” The White House blog, 27 July 2016, https://obamawhitehouse.archives.gov/blog/2016/07/26/managing-federal-information-strategic-resource, consulted 11 September 2012. The circular itself is available at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf, consulted 12 September 2011.

[229] “Circular No. A-130 Revised Transmittal Memorandum No. 4 (28 November 2000),” The White House, 28 November 2000, https://obamawhitehouse.archives.gov/omb/circulars_a130_a130trans4, consulted 12 September 2011.

[230] Ibid., Appendix II-1.

[231] Ibid., Appendix II-2, II-3.

[232] Ibid., Appendix II-3.

[233] Circular A-130, 14, https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf, consulted 12 September 2011.

[234] Ibid., 17.

[235] Written comments provided to the IRM researcher, 30 October 2017. The commenter wished to remain anonymous.