|
Web Privacy
Overview and Requirements
As a result of increased internet usage by Federal agencies to collect and disperse information, agencies are required to ensure that their websites comply with numerous Federal drivers for privacy, including the the E-Government Act of 2002, the Children’s Online Privacy Protection Act (COPPA) of 1998, and the Privacy Act of 1974. Web privacy compliance is intended to improve efficiency in information flow while maintaining the highest level of individual privacy.
The E-Gov Act stipulates multiple privacy requirements for Federal agencies, including mandates designed to protect information where website interfaces are used. In particular, the E-Gov Act requires all agencies to have human- and machine-readable privacy policies posted on agency websites used by the public. In addition, agency websites with information directed at children under the age of 13 must take steps to ensure to the greatest extent possible that they have received consent from parents as required by COPPA. Finally, agencies must ensure that any information solicited from members of the public via websites is done so in accordance with the Privacy Act of 1974.
At NIH, IC websites must comply with NIH Manual Chapter 2805 ("Web Page Privacy Policy"):
http://www3.od.nih.gov/oma/manualchapters/management/2805/
Policies and Procedures
NIH Manual 2805 - NIH Web Page Privacy Policy:
http://www3.od.nih.gov/oma/manualchapters/management/2805/
NIH Manual 1825 - Information Collection from the Public:
http://www1.od.nih.gov/oma/manualchapters/management/1825/
HHS Machine-Readable Privacy Policy Guide:
http://intranet.hhs.gov/infosec/docs/policies_guides/MRPPG/policy_guide_toc.html
HHS Accessibility (Section 508) and Email Standard:
http://www.hhs.gov/web/policies/webstandards/accessemail.html
Roles and Responsibilities (e.g., POCs)
NIH Manual 2805 - NIH Web Page Privacy Policy:
http://www3.od.nih.gov/oma/manualchapters/management/2805/
Section 508 Compliance Resources
Beginner's guide to 508 compliance:
http://www.nih.gov/catalyst/2008/08.05.01/page5.html
General Overview:
http://www.section508.gov
Rethinking PowerPoint:
http://www.webaim.org/techniques/powerpoint
http://www.cew.wisc.edu/accessibility/tutorials/pptmain.htm
Accessibility and Microsoft Word:
http://www.webaim.org/techniques/word/
PDF accessibility article:
http://www.alistapart.com/articles/pdf_accessibility
More on PDF, including 10Mb Manual:
http://www.adobe.com/accessibility
http://www.hhs.gov/web/policies/pdfaccessibility/index.html
508 Compliance Checklists:
MS Word – Word Checklist.pdf
PDF – PDF Checklist.pdf
Multimedia – Multimedia Checklist.pdf
HTML – HTML Checklist.pdf
Education and Outreach
NIH Privacy Awareness Training:
http://irtsectraining.nih.gov
HHS Machine-Readable Privacy Policy Guide:
http://intranet.hhs.gov/infosec/docs/policies_guides/MRPPG/policy_guide_toc.html
Frequently Asked Questions (FAQs)
HHS Machine-Readable Privacy Policy FAQs:
http://intranet.hhs.gov/infosec/docs/privacy/MRFAQ/Machine-Readable_Privacy_Policy_FAQs.html
1. Where can I find NIH Privacy Act Notification Criteria and Sample Statements?
2. Who do I contact if a user inquires about the web site’s privacy standards?
3. Can I post a new web site or update an existing web site before it complies with NIH web privacy requirements?
4. Does Section 508 compliance apply to emails?
- Section 508 or machine-readability compliance applies to website design and page information, documents available on the website (such as forms, newsletters and brochures) and on-line systems used both for internal and external purposes. Emails sent in text format can generally be read by everyone. If they include web links, the fully qualifying URL should be shown as well, including the ‘http://www’ part.
However, Section 508 does apply to email messages, particularly those which are sent to larger groups, often referred to as 'broadcast mailings.' The current HHS standard with links to more information is available at the following website: http://www.hhs.gov/web/policies/webstandards/accessemail.html.
The Department standard generally states that "HHS must make email accessible to persons with disabilities. All emails—internal or external—as well as their attachments, including graphics, audio, and video must be accessible." In terms of e-mails that are sent to smaller and known audiences, HHS states that these e-mails "should meet Section 508 standards as much as practicable. Alternative or accessible formats ["accommodations"] must be made available upon request."
Questions or concerns about Section 508 Compliance can be directed to the NIH Section 508 Help inbox at the email address: Section508Help@nih.gov.
Definitions
Cookie: Persistent cookies collect and maintain web information for later use. They can track the activities of users over time across different web sites and are capable of capturing personal information that can be retrieved by individual identifiers (e.g. name, social security number, etc.). Session cookies collect information for a single session and do not save information for later retrieval.
Disclaimer: A Web site statement that states that NIH is not responsible for the information or material included on (1) the NIH Web site that was derived from other non-NIH sources and (2) external Web pages. A disclaimer is also used to avoid giving a user the impression that NIH is endorsing information, or a commercial product described on an NIH page or at an external site linked to an NIH page. Disclaimers on copyright, endorsement (general and external links), liability, and medical information may be used, as appropriate, for individual IC Web sites. See Appendix for sample disclaimers. In determining appropriate statements, careful consideration should be given to the nature of the specific site and its potential liability. (Defined in NIH Manual Chapter 2805).
Kid’s Pages: NIH Web sites directed to children under the age of 13. (Defined in NIH Manual Chapter 2805).
Machine-readable Privacy Policy (P3P): Requires information systems to inform users when information is collected and how it will be used. As a result, users can determine whether or not the system’s information standard matches his or her personal standard.
Personal Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. (Defined in OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments).
Note: The acronyms PII and IIF are often used interchangeably.
Standardized Machine-Readable Format: Format that enables users to make an informed choice about whether to conduct business with the site.
Verifiable Parental Consent: Consent from the child’s parent or legal guardian, verified by reasonable efforts of Kids’ Pages IC Program/Content Manager in coordination with the IC Web Site Operation Staff (taking into consideration available technology), shall be obtained before collecting, using, or disclosing personal information from or about a child. Verifiable Parental Consent is used to ensure that before personal information is collected from a child, a parent or guardian of the child receives notice of the operator’s information practices and consents to those practices. (Defined in NIH Manual Chapter 2805).
References
Privacy Act of 1974 (5 U.S.C. Section 552a, as amended):
http://www.usdoj.gov/oip/privstat.htm
http://www.usdoj.gov/oip/04_7_1.html
The E-Government Act of 2002 (see Title II, Section 208 for privacy provisions):
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf
Children’s Online Privacy Protection Act (COPPA) of 1998:
http://www.ftc.gov/ogc/coppa1.htm
NIH Manual Chapter 2805 – NIH Web Page Privacy Policy
http://www3.od.nih.gov/oma/manualchapters/management/2805/
NIH Manual Chapter 1825 – Information Collection From the Public
http://www1.od.nih.gov/oma/manualchapters/management/1825
NIH Privacy Act Notification - Criteria and Sample Statements:
http://oma.od.nih.gov/ms/privacy/NSCriteria.doc
NIH Information Technology General Rules of Behavior:
http://ocio.nih.gov/security/nihitrob.html
NIH Office of the Chief Information Officer:
http://ocio.nih.gov
NIH Encryption Web Page:
http://ocio.nih.gov/security/HHS_Encrypt_Policy_Guidance_Tools.html
Return to the top
|