1 / 21

"Embedding Privacy in Federal Information Systems"

"Embedding Privacy in Federal Information Systems". Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop March 27, 2003. Overview. Agency privacy before 2001 E-Government Act of 2002 Beyond E-Gov Total Information Awareness

aquick
Download Presentation

"Embedding Privacy in Federal Information Systems"

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop March 27, 2003

  2. Overview • Agency privacy before 2001 • E-Government Act of 2002 • Beyond E-Gov • Total Information Awareness • Conclusions on security and privacy

  3. I. Government Systems Thru 2000 • Privacy Act of 1974 • “System of Records” • Notice, consent, access, reasonable administrative and technical measures • OMB Guidance

  4. Limits of the Privacy Act • Only applies to “systems of records” • Not, e.g., to queries of commercial databases • Large “routine uses” • Uneven compliance

  5. 1999 Web Policies • OMB Directive from Jack Lew June, 1999 • June 2, 1999, OMB M-99-18 • Available at www.privacy2000.org, under “Presidential Privacy Archives” • Guidance and model language for federal sites

  6. 1999 OMB Policy • Principal agency web sites • “Known, major entry points” • “Substantial collection of personal information”

  7. 2000 OMB Cookies Policy • Issued June 22, 2000, OMB M-00-13 • Reaction to cookies set for the National Office of Drug Control Policy • Cookies need • Clear and conspicuous notice • Compelling need to gather the data • Publicly disclosed safeguards • Personal approval by the agency head

  8. 2000 OMB Guidance • Agencies should comply with requirements of Children’s Online Privacy Protection Act • Description of privacy practices and steps for compliance on cookies incorporated into annual submission to OMB for IT budgets • OMB/OIRA has sent out guidance for annual budget submissions

  9. II. E-Government Act of 2002 • Spotlight on Privacy Impact Assessments • PIAs before the Act • IRS PIA adopted as best practice by Federal CIO Council • CIO Council encouraged wider use • Only moderate adoption in the agencies • CIO Council subcommittee on privacy did not continue after January, 2001

  10. PIAs under the E-Gov Act • PIA required where “developing or procuring IT that collects, maintains, or disseminates information that is in identifiable form” • Also “new collection of information” that includes information collected from federal reporting requirements affecting 10+ people (Paperwork Reduction Act extension)

  11. PIAs • Review by agency CIO or equivalent official • “If practicable”, after completion of the review, publish the PIA • That can be waived “for security reasons, or to protect classified, sensitive, or private information” • Copy to OMB

  12. Contents of the PIA • OMB to issue guidance • Perhaps this April or May • PIAs to be commensurate with • size of IT system • sensitivity of information • risk of harm from unauthorized release

  13. Contents of PIA • PIA should include • what information is to be collected • why information is to be collected • intended use of the information • with whom the information is shared • notice or consent for individuals • how information is secured • whether it is a system of records

  14. Other E-Gov Provisions • Statutory version of OMB 1999 guidance for privacy policies on agency web pages • More detail on notice, choice, access, security • Privacy policies in machine-readable formats • OMB guidance • P3P the likely current use • “Identifiable” permits the identity “to be reasonably inferred”, directly or indirectly

  15. III. Beyond E-Gov • HIPAA and federal agencies • Privacy rule this April 14 • Transaction rule this October • Security rule in 2 years, and also by April 14 • What agencies? • VA, DOD, other federal/state health providers • Research on human subjects • Federal/state health insurance • Business associates -- receive data from others

  16. Court Records and Privacy • OMB/DOJ/Treasury study in Jan. 2001 on bankruptcy records and privacy • SEARCH and criminal records • PACER and court records as a current major debate

  17. IV. Total Information Awareness • Surveillance after September 11 • Wiretap/surveillance changes in USA-PATRIOT Act • Philosophy of “information sharing” • Among agencies • Between federal and state/local

  18. TIA • Does not look like “embedding privacy in federal information systems” • Contrasting trends • Embedding privacy • Increasing surveillance (data gathering) and data sharing

  19. Conclusion • Will need to build federal systems better for security and privacy • They work together on the level of good data practices • They can work against each other with surveillance and data sharing proposals • Not clear how the cross-currents will change practices in coming years

  20. Contact information • Professor Peter Swire • www.peterswire.net • peter@peterswire.net • (240) 994-4142

More Related