|
Policy and Memoranda
The Privacy Act of 1974, (Public Law 93-579)
- Protects the privacy of personal information held by the Federal government and was created in response to concerns about how the creation and use of computerized databases might impact individuals' privacy rights; and
- Safeguards privacy through creating four procedural and substantive rights in personal data. First, it requires government agencies to show an individual any records kept on him or her. Second, it requires agencies to follow certain principles, called "fair information practices," when gathering and handling personal data. Third, it places restrictions on how agencies can share an individual's data with other people and agencies. Fourth, it allows individuals to sue the government for violating its provisions.
http://www.usdoj.gov/oip/privstat.htm
http://www.usdoj.gov/oip/04_7_1.html
Title II, Section 208 of the E-Government Act 2002 (Public Law 107-347)
Title III of the E-Government Act 2002 (Public Law 107-347)
- Referred to as the Federal Information Security Management Act (FISMA), Title III of the E-Gov Act provides a framework for protecting personal information and information systems from unauthorized access, use, disclosure, modification or destruction;
- Seeks to ensure integrity, confidentiality and availability of personal information and add valuable government-wide management of risks to information security; and
- Requires agencies to perform program management, evaluation, and reporting activities, such as conducting annual self-assessments and independent assessments by the agency’s Inspector General (IG).
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf
The Freedom of Information Act (FOIA), 5 U.S.C. 552
- Provides individuals with the right to access personal records that are collected, maintained, disseminate, and/or shared by the Federal government;
- Allows the government to withhold information provided that the information falls under one or more of the nine exceptions included in the Act;
- Requires government agencies to respond to information requests within 20 days; and
- Requires government agencies to list their major information systems, record locator systems, and reference guides via electronic means in an effort to make records available in formats desired by requesters.
http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htm
http://www.hhs.gov/foia/
http://www.nih.gov/icd/od/foia/index.htm
Health Insurance Portability and Accountability Act (HIPAA)
Office of Management and Budget (OMB) Memoranda
OMB M-03-22: Outlines when and how to conduct PIAs, define content requirements for website privacy policies and provide guidance on meeting machine readable privacy policy and reporting requirements. This memorandum requires agencies to:
- Conduct PIAs for electronic information systems and collections and make them publicly available;
- Conduct PIAs following any major system changes;
- Post privacy policies on public facing agency websites;
- Translate privacy policies into a standardized machine-readable format; and
- Report annually to OMB on compliance with Title II, Section 208 of the E-Government Act of 2002.
http://www.whitehouse.gov/omb/memoranda/m03-22.html
OMB M-05-08: Outlines the overall responsibility and accountability of the Senior Agency Official for Privacy (SAOP) to ensure the agency’s implementation of information privacy protections, including the agency’s full compliance with Federal laws, regulations, and policies. This memorandum requires agencies to:
- Take appropriate steps necessary to protect personal information from unauthorized use, access, disclosure or sharing, and to protect associated information systems from unauthorized access, modification, disruption or destruction;
- Maintain appropriate documentation regarding their compliance with information privacy laws, regulations, and policies;
- Conduct periodic reviews (e.g., as part of their annual FISMA reviews) to promptly identify deficiencies, weaknesses, or risks. When compliance issues are identified, agencies are required to take appropriate steps to remedy them;
- Review the agency’s information privacy procedures to ensure that they are comprehensive and up-to-date and, where additional or revised procedures may be needed, requires agencies to work with the relevant offices in the consideration, adoption, and implementation of such procedures;
- Ensure the agency’s employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, policies, and procedures governing the agency’s handling of personal information; and
- Maintain a central policy-making role in the agency’s development and evaluation of legislative, regulatory and other policy proposals which implicate information privacy issues, including those relating to the agency’s collection, use, sharing, and disclosure of personal information.
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-08.pdf
OMB M-05-15: Provides instruction for agency reporting under FISMA. This memorandum requires agencies to:
- Ensure that the SAOP completes Section D of the FISMA report in consultation with other agency privacy officials as appropriate;
- Implement the requirements of FISMA and report annually to OMB and Congress on the effectiveness of their security programs; and
- Submit clear, accurate reports that avoid discrepancies between the Chief Information Officer (CIO) and the IG report sections.
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html **(replaced by M-07-19, see below)
OMB M-06-15: Reemphasizes agency responsibility to appropriately safeguard sensitive personally identifiable information (PII) and to train employees on their responsibilities in this area. This memorandum requires agencies to:
- Conduct reviews of policies and processes, and take corrective action as appropriate to ensure adequate safeguards are in place to prevent the intentional or negligent misuse of, or unauthorized access to, PII. Complete this review in time for inclusion into the fiscal year 2006 (FY06) FISMA and Agency Privacy Management report and include any weaknesses in security plans of action and milestones (POA&Ms) already required by FISMA;
- Remind employees and contractors (within 30 days of M-06-15, May 22, 2007) of their specific responsibilities for safeguarding PII, the rules for acquiring and using such information as well as the penalties for violating these rules; and
- Promptly and completely report security incidents to proper authorities, including the IG and other law enforcement authorities.
http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf
OMB M-06-16: Instructs agencies to understand their baseline of activities that properly safeguard information assets while using information technology, and calls agencies to review safeguards in place. This memorandum requires agencies to:
- Implement the National Institute of Standards and Technology (NIST) checklist for protection of remote information;
- Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive;
- Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
- Exercise a "time-out" function for remote access and mobile devices requiring user re-authentication after 30 minutes of inactivity; and
- Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.
http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
OMB M-06-19: Provides updated guidance on the reporting of incidents involving PII, reminds agencies of existing requirements and explains new security and privacy requirements. This memorandum requires agencies to:
- Report all incidents involving PII to the United States Computer Emergency Response Team (US-CERT) within one hour of discovering the incident regardless of whether it is suspected or confirmed; and
- Identify the specific funds being requested for proposed development, modernization, or enhancement efforts to correct security and privacy weaknesses found during privacy program reviews required by M-06-15 and M-06-16.
http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf
OMB M-07-16: Instructs agencies how to better protect and respond to the breach of PII. This memorandum requires agencies to:
- Establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, and instruct any such person with respect to such rules and the requirements of the Privacy Act of 1974;
- Provide job-specific training for managers and employees before granting them access to agency information and information systems. Thereafter, agencies must provide at least annual refresher training;
- Review existing requirements with respect to privacy and security by ensuring that current records are accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the proper performance of the agency function;
- Implement more stringent policies such as reducing the volume of collected and retained information (specifically a decrease in use of Social Security Numbers [SSNs]) and employing heightened administrative, technical, and physical security measures;
- Implement breach notification and SSN reduction policies within 120 days of M-07-16 (May 22, 2007) which addresses the necessity, timeliness, source, contents, means of provision, and recipients;
- Report to US-CERT when an individual gains logical or physical access without permission to a Federal agency network, system, application, data or other resource; or when there is a suspected or confirmed breach of PII regardless of the manner in which it might have occurred (Attachment 2, Section B-1 of M-07-16);
- Publish a routine use for their systems of records notices (SORNs) allowing for the disclosure of information in the course of responding to a breach of Federal data (Attachment 2, Section B-2); and
- Provide a breach notification, without unreasonable delay, to the Department as well as individuals affected by the breach. The notification must include the source of the breach, a brief description, date of discovery, type of PII involved, a statement whether or not the information was encrypted, what steps individuals should take to protect themselves from potential harm, what the agency is doing to resolve the breach, and who affected individuals should contact for information (Attachment 3, Sections 2-4 of M-07-16).
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf
OMB M-07-19: Replaces M-05-15 and M-06-20, and provides clear reporting instructions for the FY07 FISMA and Agency Privacy Management report. This memorandum requires agencies to:
- Include a breach notification policy which specifies the necessity, timeliness, source, contents, means of provision, and recipients of a breach notification;
- Provide an implementation plan to eliminate unnecessary use of SSNs;
- Include an implementation plan and progress update on review and reduction of holdings of PII;
- Provide policy to outline rules of behavior and identify consequences and corrective actions available for failure to follow these rules; and
- Include a summary, completed by the SAOP, that communicates the status of agency compliance with privacy laws and policies.
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-19.pdf
(Please see M-07-19 page 2 for reporting documents and templates)
OMB M-08-09: Adds new requirements to existing agency annual reporting mechanisms and provides advance notice to agencies about information which will be incorporated into the annual reporting requirements for fiscal year 2008. This Memorandum requires agencies to:
- Submit, by agency, the number of each type of privacy review conducted during the last fiscal year;
- Submit information about the advice provided by the Senior Agency Official for Privacy during the last fiscal year;
- Submit the number of written complaints for each type of privacy issue allegation received by the Senior Agency Official for Privacy during the last fiscal year; and
- Submit for each type of privacy issue received by the Senior Agency Official for Privacy for alleged privacy violations during the last fiscal year, the number of complaints the agency referred to another agency with jurisdiction.
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-09.pdf
HHS Policy Links:
NIH Policy Links:
Return to the top
|